Cyberattack on Blackbaud

Recently, TU Delft has been notified of a data security incident which included a TU Delft alumni database from 2017. This notification came from Blackbaud, a third-party service provider and one of the world’s largest providers of customer relationship management systems for non-profit organisations and the higher education sector.

On 16 July 2020, Blackbaud, the provider of TU Delft’s alumni relationship management system, informed us that they had been the victim of a ransomware attack between 7 February and 20 May 2020. As noted in Blackbaud’s public disclosure, the cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included an old back-up file of February 2017 with alumni data from Delft University of Technology.

What information does it involve?

The data accessed by the cybercriminal may have contained some of the following information:

Basic details e.g. name, title, gender, date of birth and alumni ID (if applicable)
Addresses (home address) and contact details e.g. phone and/or e-mail
Study information e.g. faculty, programme, dates attended
Employment information e.g. company name and job title

The file did not contain bank accounts, passwords or Citizen Service Numbers (BSN).While Blackbaud assures us that the incident was solved and the back-up file was deleted by the hackers, we immediately launched our own investigation. This breach did not happen at a TU Delft facility and given the number of other institutions affected, we do not believe that this attack was specifically targeting TU Delft or our alumni database.

What are we doing

In the response to the incident and the follow-up steps to be taken, we are co-operating with other Dutch universities that have been affected, including Utrecht University.

We have informed the Dutch Data Protection Authority of the breach.
As soon as we got the information needed, the provision of which took almost three weeks, we notified alumni to make them aware of this breach of Blackbaud’s systems and can remain vigilant about any attempted misuse of data.
We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.
We are working with Blackbaud to understand why there was still an old back-up available on their own self-hosted environment.
We are reviewing our internal practices and continue to take advice from our Data Protection and IT security teams to ensure the greatest level of data protection moving forward.
We are reviewing our collaboration with Blackbaud.

What can you do?

The affected alumni have received a message from us via e-mail of postal mail (latest end of August). Alumni who are unsure whether their details were in the file, and who have not yet received a message at the postal or e-mail address known to us, can reach us via alumnirelations@tudelft.nl.

There is no need for contacts of TU Delft other than alumni to take action. Furthermore, alumni who graduated after 2017 are certainly not affected.

As a best practice, we recommend everyone remain vigilant and promptly report any suspicious activity (e.g. identify fraud) to the proper law enforcement authorities.

More information

If you have questions, and you would like to contact a member of the TU Delft Alumni Relations team or set up a time to speak with us directly, please write to alumnirelations@tudelft.nl. If you are not able to e-mail us, please contact us via the TU Delft general number: +31 (0)15 27 89111, Monday to Friday 08.30 - 17.00 hours CEST. You can also change your communication preferences or send other requests at any time by writing to us at the above e-mail address.

Press officer TU Delft: Karen Collet, +31 (0)15 27 89111, e-mail: K.Collet@tudelft.nl

Frequently Asked Questions

If you are an alumnus/a who was in the database during February 2017, we have informed you via email or letter. If you graduated after February 2017, you were not part of this back-up file. If you are in doubt, please contact us.

The security incident affected an old back-up file from February 2017. The database in 2017 contained almost 60.000 graduates. The information we had on alumni varied per person. In that database we could save:

Full name, titles, date of birth, contact details (home address, e-mail address, phone number)
Study information (start date, date of graduation, programme)
Employment information (Employer name, job title)

If you want to know exactly what information was in our database, send us an email with your full name, date of birth and your TU Delft course. We can then investigate if you were in the database at the time and if so, what information was in the database.

While Blackbaud assures us that the incident was solved and the back-up file was deleted by the hackers, we immediately launched our own investigation and we wanted to inform you about this. TU Delft informed the Dutch Data Protection Authority of the breach. We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.

TU Delft has been informed by Blackbaud on 16 July 2020, however, it took a further three weeks for Blackbaud to provide the information necessary to know which alumni were affected. This information was needed to inform the people affected.

TU Delft is evaluating whether this incident should have consequences for our collaboration with Blackbaud. Currently, we use Blackbaud’s CRM system ‘Raiser’s Edge’ as a database for the information of alumni, donors and other relations. The data is held in a Microsoft Azure environment hosted in Amsterdam.

TU Delft uses the alumni database to inform graduates on the latest developments in research and education at their alma mater; furthermore, we provide information on lifelong learning opportunities.