Cyber Incident Victim: University of Missouri

In May 2020, a ransomware attack targeted Blackbaud, a cloud-based fundraising software provider used by the University of Missouri's four campuses, resulting in unauthorized access to donor data. The breach was detected and halted by Blackbaud before the attackers could fully encrypt their systems, though the cybercriminals exfiltrated a copy of stored data. The University of Missouri-Columbia was notified of the incident in late July 2020 and subsequently informed donors via a public statement on September 4, 2020. Compromised information included names, street addresses, dates of birth, phone numbers, email addresses, and sensitive wealth-related details such as net worth assessments and philanthropic histories. No financial data, Social Security numbers, or bank account information was exposed, as the university had not shared those categories with Blackbaud. The breach impacted donor records across all University of Missouri campuses, with Missouri University of Science and Technology in Rolla confirming similar exposure in a parallel disclosure.

Blackbaud acknowledged paying the ransom after the attackers provided assurances that the stolen data had been destroyed, though the company admitted it could not guarantee deletion. Forensic investigations commissioned by Blackbaud found no evidence that exfiltrated data had been misused or publicly disseminated following the attack. The University of Missouri emphasized in its donor communications that the breach originated within Blackbaud's systems rather than university infrastructure, while confirming coordination with the vendor to assess security enhancements. Multiple educational and nonprofit institutions globally were affected by the same incident, as Blackbaud served numerous clients through its centralized fundraising platform. No operational disruptions or additional compromises at the University of Missouri were reported beyond the initial data exposure through Blackbaud's environment.