At John Carroll University, we take the privacy and security of the personal information you entrust to us very seriously. That’s why we have shared this information regarding a recent data security incident involving Blackbaud, Inc. (“Blackbaud”), a database software provider we use to collect and maintain alumni, community member and donor information. We are sending this letter to be sure you receive written notice of this security event and additional information about what happened. While John Carroll University’s information did not contain the type of sensitive information typically associated with identity theft and Blackbaud continues to assure us they don’t believe your information was misused in any way, we are also providing a list of identity theft related consumer resources.
What Happened? Blackbaud is a large software company that provides customer relationship management systems for not-for-profit organizations and the higher education sector. On July 16, 2020, Blackbaud informed its customers, including John Carroll University, that Blackbaud had been the victim of a ransomware attack that culminated in May 2020. According to Blackbaud, the cybercriminal was unsuccessful in blocking access to the database, however, Blackbaud informed us that the cybercriminal was able to remove a copy of a subset of data, including data related to John Carroll University community members. This incident involved many, many clients of Blackbaud and John Carroll University’s information was not targeted specifically. Blackbaud informed us that they undertook a complete forensics investigation, paid the cybercriminal’s demand, and received credible confirmation that the copy they removed had been destroyed. According to Blackbaud, based on “its research and the third-party investigation (including law enforcement), there is no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.” You can read more about this incident at https://www.blackbaud.com/securityincident.
What information was involved? The information involved in this incident may have included your name, contact information, date of birth, student identification number, list of family members, employment, John Carroll giving history, philanthropic interests, and other similar information concerning your affiliation with the University and charitable interests. Your social security number and financial information was not at risk because John Carroll University does not use Blackbaud to store or process financial account information, financial transactions, or social security numbers.
What are we doing? Upon learning of the incident, we’ve continued to communicate with Blackbaud to understand the full scope of this matter, verify the information provided by Blackbaud, and evaluate our continued relationship with Blackbaud. Although we have no indication that Blackbaud had any particularly high-risk information or that your information was misused, out of an abundance of caution, you should consider the information in the attached “Identity Theft Information and Resources” document regarding steps you can take to help protect your personal information.
For more information: If you have any further questions or concerns regarding this matter, please don’t hesitate to call 216.397.4336, from 8:30 a.m. to 5:00 p.m. Eastern Time, Monday through Friday or email us at alumni@jcu.edu.
Please know that we deeply regret any worry or inconvenience this may cause you. Thank you so much for your involvement in and support of John Carroll University.
________________________
Identity Theft Information and Resources
Review Account Statements and Notify Law Enforcement of Suspicious Activity: As a precautionary measure, we recommend that you remain vigilant and review your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and/or the Federal Trade Commission.
Credit Report Copy: You may obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com/, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can also contact one of the following three national credit reporting agencies:
Equifax P.O. Box 105851 Atlanta, GA 30348 1-800-525-6285 www.equifax.com
Experian P.O. Box 9532 Allen, TX 75013 1-888-397-3742 www.experian.com
TransUnion P.O. Box 1000 Chester, PA 19016 1-877-322-8228 www.transunion.com
Free Annual Report P.O. Box 105281 Atlanta, GA 30348 1-877-322-8228 annualcreditreport.com
Fraud Alert: You may want to consider placing a fraud alert on your credit file. An initial fraud alert is free and will stay on your credit file for at least one year. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at http://www.annualcreditreport.com.
Security Freeze: In some U.S. states, you have the right to put a security freeze on your credit file. This will prevent new credit from being opened in your name without the use of a PIN number that is issued to you when you initiate the freeze. A security freeze is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to obtain credit. You must separately place a security freeze on your credit file with each credit reporting agency. There is no fee to place, lift or remove the security freeze. In order to place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement or insurance statement.
Additional Free Resources: You can obtain information from the consumer reporting agencies, the FTC or from your respective state Attorney General about steps you can take toward preventing identity theft. You may report suspected identity theft to local law enforcement, including to the FTC or to the Attorney General in your state of residence.
Federal Trade Commission: 600 Pennsylvania Ave, NW, Washington, DC 20580, consumer.ftc.gov, and www.ftc.gov/idtheft, 1-877-438-4338
Your Rights under the Fair Credit Reporting Act (FCRA): These rights include knowing what is in your file; disputing incomplete or inaccurate information; and requiring consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf
.