Message to OWs, Parents, and Friends of MCS

Dear OWs, parents and friends of MCS

You may have read in the news about a data breach experienced by Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software.

We have been informed by Blackbaud that a back-up copy of MCS data in the NetCommunity part of their software was part of the cybercriminal attack. Blackbaud has provided us with assurances on the encryption of data and confirmed that – based on the nature of the incident, Blackbaud’s research and third-party (and law enforcement) investigation – they have no reason to believe that any data went beyond the original attacker, or has been otherwise misused; nor that it will be further disseminated or made publicly available.

Nevertheless the school is working closely with Blackbaud and as a precaution has informed both the Information Commissioner’s Office and the Charity Commission. The NetCommunity system is used at MCS to send bulk emails and to store OW profiles. As you are receiving this email, your email address will have been used in NetCommunity. OW profiles are in a password-protected part of the NetCommunity. Details such as name and address would have been included and could have been supplemented by telephone numbers, event attendance, donation history, education, professional details and any free text information on a Personal Information Form. The likely risk is not currently believed to be significant and so there is no need for any action at this time.

Up to January 2019, financial transactions could be made through NetCommunity, including  credit card gifts and the online purchase of OW event tickets. We are assured that card information was encrypted such that it cannot be used. I intend to review the details of every past financial transaction made through NetCommunity in order to write this week to anyone who should be particularly made aware of this incident; while we know credit card data was encrypted, there may be some at a heightened risk of phishing attacks. If you ever have any concern about the veracity of a communication from MCS please contact Reception or the Waynflete Office.

I want to be completely open in this matter in the hope that you will feel confident in your relationship with MCS on fundraising, alumni relations and community matters. I do not want future pupils who would otherwise be at MCS through donated bursaries to be the ones who bear the real impact of this sort of cybercrime.

Please find below more information and feel free to email me directly on sbaker@mcsoxford.org or via waynfleteoffice@mcsoxford.org. Alternatively, you can phone the School Reception (01865 242191) and leave a message for me to call you.

Yours,

SUSANNAH BAKER

DIRECTOR OF THE WAYNFLETE OFFICE

 

What happened

On 16 July 2020, we were contacted by our third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for the Higher Education sector. Blackbaud informed us that they had discovered and stopped a ransomware attack in May 2020 and that the cyber-criminal was able to remove a copy of a subset of data from a number of their clients, including other UK universities and schools.

Since then we have been working to establish the facts and now understand that the data breach involved information in an area of our system called NetCommunity, which we use to host alumni profiles and send bulk emails, and which was formerly used by MCS to process financial transactions such as credit card donations, purchased tickets to OW events, and merchandise. The system was used for financial transactions between October 2014 and January 2019, although most transactions after 2017 were not processed through this system.

Our understanding of the situation is:

  • The cybercriminal did not gain access to full credit card details because they were encrypted;
  • A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
  • There is no reason to believe that any data went beyond the cyber-criminal, was or will be misused or made available publicly;
  • Blackbaud have identified the vulnerability associated with this incident and have confirmed that they have addressed it.

The breach does not affect financial donations or OW ticket sales made by bank transfer, cheques, foundation giving, payroll giving, standing orders or direct debits.

 

What information was involved

The data compromised was a back-up file from an area of our system called NetCommunity. The information involved will vary on a case-by-case basis:

 

  • Anyone receiving this email will have their email address in the NetCommunity data back-up.
  • For our OW community, this will depend on any further profile information added in the password-protected area of the OW website. Basic details such as name and address would have been included and could have been supplemented by telephone numbers, event attendance, donation history, education and professional details. If you included free text information on an OW Personal Information Form, this would have been stored in the back-up. Each OW has a password to allow them to access their own profile and this password was encrypted.

 

Steps taken

We have been informed that in order to protect client data and mitigate potential identity theft, Blackbaud paid the ransom demand and received assurances from the cybercriminal that the data was destroyed.

We have taken the following steps:

  • We have informed the Information Commissioner’s Office (ICO) and the Charity Commission of this breach;
  • We are working with Blackbaud to confirm why there was a delay between them finding the breach and notifying us;
  • We are notifying constituents who use email and our online systems so that they are aware of this breach to Blackbaud’s system and can remain vigilant;
  • We will review the details of every financial transaction made through NetCommunity in order to write to anyone who we believe should be particularly made aware of this incident; while we know data was encrypted, there may be some at a heightened risk of phishing attacks;
  • We are working closely with the school’s lawyers and Blackbaud and will publish any further updates in the coming weeks should they be required;
  • We will continue our Conveniamus bursary campaign and remain confident that the donation channels we have in place are not affected by this incident.

 

What you can do

There is no need for you to take any action at this time. You will hear from us directly if we believe that you may be at a heightened risk of a phishing attack.

Please do remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. If you ever have any concerns about the veracity of a communication from MCS please contact Reception or the Waynflete Office.

 

Back to all News

Related News

News
5 November 2024

MCS features in ISC Partnerships report

News
9 October 2024

MCS wins Independent Schools of the Year Award for Contribution to Social Mobility

NewsSustainability
3 September 2024

MCS earns Eco-Schools Green Flag Award with Distinction

News
27 August 2024

Out now: the Trinity Term Newsletter

News
22 August 2024

GCSE Results 2024

News
15 August 2024

A Level Results 2024