ST. AUGUSTINE, Fla. – Flagler College alerted its community Wednesday that a database that stores information on alumni, donors and friends had been the target of a ransomware attack.
An email from the private college’s vice president of Institutional Advancement said Blackbaud, a third-party service provider that creates software for colleges and nonprofits across the country, informed Flagler College that there had been a security incident.
The ransomware attack involved Blackbaud’s Raiser’s Edge database, which the St. Augustine college said it uses to store some information.
The college said Blackbaud detected and stopped the attack, which lasted from February to May, but some unencrypted information, like names, addresses and phone numbers, was exposed to the hackers.
Flagler College said no credit card information, bank account information, Social Security numbers or academic records were compromised in the attack. A school leader told News4Jax that the attack didn’t affect current students.
Blackbaud said on its website that it “paid the cybercriminals' demand” to get the stolen data back “with confirmation that the copy they removed had been destroyed.”
Chris Freedman’s company, OnDefend, works to protect companies from these cybercrimes, which can be damaging and expensive to fix.
“This is not uncommon. Unfortunately, most of these service providers house data -- it can be personal information it could be health care information,” Freedman said.
He said there are several reasons a company might pay to get the data back.
“If their data was not backed up properly or if the data itself, the back-ups were encrypted and they did not have offsite hardcopies, typically you have to weigh the costs of restoring the data or re-creating the data from scratch or paying the ransom to try to retrieve your data from the bad actors,” Freedman said.
Blackbaud told Flagler College it has made changes to protect the data from any future attacks.
“But we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities,” the college said in an email to the Flagler College community.
Flagler said out of an abundance of caution it did a separate investigation of the incident with a cybersecurity firm to check on Blackbaud’s investigation process.
“We take your privacy very seriously at Flagler College, and we are exploring all options to ensure this type of breach does not happen again, including revisiting our relationship with Blackbaud,” Flagler College said.
School leaders are not releasing how many people’s data was breached. They also pointed out the Flagler College did NOT have to pay the ransom
Anyone with questions or concerns can contact Jay P. Kelly, director of advancement services, at 904-819-6477 or JKelly@flagler.edu.
“We will continue to monitor this situation and provide updates as necessary,” Flagler College said.
Hackers typically do not get caught because they are running major operations, often from overseas, using secret servers and requesting payments through digital currency, which is untraceable.