Earlier this year, Gateway Technical College Foundation experience an attempted breach of its database.
The good news is that no financially sensitive or identifying information was compromised, Foundation administrators said.
The GTC Foundation is a non-profit organization that manages contributions for cultural activities and resources at Gateway Technical College.
In an Oct. 8 letter to donors and other community stakeholders, Foundation Executive Director Jennifer Charpentier outlined the nature of the potential data breach, carefully explaining how the crisis had been managed with no loss of confidential data.
The letter stated that in May 2020, Blackbaud, the software vendor that manages the Foundation’s donor database, “experienced a security incident.”
Charpentier noted that Blackbaud was able to quickly identify and disarm the attempt and stop a ransomware attack. The company informed the Foundation of the attempt and its findings in July.
During the investigation, Blackbaud determined that compromised information may have included donor names, addresses, emails and student identification numbers but not credit card or bank account information or social security numbers.
However, the cybercriminal was prevented from blocking Blackbaud’s system access and encrypting files. Blackbaud also reported that copies of identifying but non-financial information had been obtained and destroyed.
Charpentier explained that time between the discovery of the attempted breach and the recent letter to donors was needed “to investigate and work with experienced professionals to communicate what had happened and with whom.”
The letter set out to reassure everyone that the danger had passed.
“The pieces that would be critical for ID theft were not breached,” Charpentier said in a phone interview Tuesday.
The letter said, “We are writing to notify you about a situation we experienced with a vendor that may have exposed some of our stakeholders' personal information to unauthorized third parties and steps we are taking to address the situation."
The cyberattack was investigated by forensic IT experts, with options explored to enhance tighter vendor controls.
Charpentier noted that by law the Foundation is required to notify all concerned parties of the breach of financial information, but she felt it important to notify everyone, even though that did not transpire.
“Donors all being informed this month, because we value our stakeholders and wanted to err on the side of transparency," Charpentier said. "Because we value these relationships, we took our time and then communicated about the situation.”
