Cyber Incident Victim: Kent State University
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud, a cloud software provider, indirectly compromised Kent State University's alumni and donor data managed through the ResearchPoint platform. Exposed information included names, contact details, donation histories, and demographic records, though financial data such as bank accounts or Social Security numbers remained secure. The attacker exfiltrated a data copy before being expelled, prompting Blackbaud to pay a ransom while asserting the information was subsequently destroyed. The university alerted affected constituents about potential identity theft risks and suspicious solicitation attempts, expressing dissatisfaction with the delayed breach notification. Institutional Advancement officials reviewed alternative vendor options following constituent requests to opt out of communications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2020, Blackbaud, a global cloud software provider serving nonprofits and educational institutions, detected a ransomware attack that had begun in February. The attacker accessed and removed a subset of data from Blackbaud’s systems before being expelled with the assistance of independent forensic experts and law enforcement. Blackbaud paid the ransom after receiving assurances the stolen data was destroyed, though the company confirmed no credit card details, bank account information, or Social Security numbers were compromised. Kent State University’s Division of Institutional Advancement, which manages alumni relations and philanthropy, was notified by Blackbaud in July 2020 that its data hosted on the ResearchPoint platform—used by the university for approximately 12 years—was among the affected systems. The exposed Kent State data included constituent names, email and mailing addresses, phone numbers, donation histories, and transaction amounts. University officials expressed disappointment over Blackbaud’s delayed notification, as the attack had been halted two months prior, and emphasized the priority of protecting alumni interests.
Kent State notified constituents on August 3, 2020, advising vigilance against suspicious activity and identity theft, particularly regarding donation solicitations via calls or mail. Assistant Vice President Leigh Greenfelder clarified that while ResearchPoint contained basic constituent profiles augmented with publicly available data, financial records and academic transcripts remained secure. Some individuals requested removal from marketing lists, though the university explained that core relationship histories couldn’t be deleted from the database. The incident prompted Kent State to evaluate alternative third-party providers for constituent management services. Other Ohio entities impacted included the Cleveland Museum of Natural History, which used Blackbaud for ticketing and guest communications; the Cuyahoga Community College Foundation, where donor demographic and engagement histories were exposed; and Holden Forests and Gardens, which warned members about potential misuse of personal information. Blackbaud declined to provide additional details beyond its July 2020 statement confirming the breach’s containment.