FundSvcs Community

Expand all | Collapse all

Blackbaud Security Incident - FORMER Researchpoint clients

  • 1.  Blackbaud Security Incident - FORMER Researchpoint clients

    Posted 08-20-2020 08:38 AM
    As we continue our investigation into the impact of the Blackbaud security breach, would like to hear from anyone who was a FORMER Researchpoint client that is affected (that is what we are).

    We finally got the data that was breached and looking to determine a few things before we communicate:

    1. What types of calls did you get and were you able to answer them?   the data set we got back is extensive and since we don't have the product anymore, it's hard to navigate the hundreds of tables of information.

    2. What volume of calls did you get?

    3. Who was answering/responding to the phone calls/emails?

    4. Have you considered legal options against Blackbaud that they still had data after contract ended (in our case three years ago).

    I would be interested in talking with anyone that is a ResearchPoint former clients (and I guess maybe current client of ResearchPoint) that was affected by this breach to see how you're handling communication and support from that.

    Thank you.

    Thomas Chaves
    Associate VP for Advancement Operations
    St. Joseph's University

  • 2.  RE: Blackbaud Security Incident - FORMER Researchpoint clients

    Posted 08-24-2020 11:28 AM
    Hi Thomas,

    While I don't fit your exact criteria, I'm happy to chat about the response.

    My institution elected to notify because the majority of the relationships in the database have a close and trusting relationship with the institution (alumni) and the risks associated with not notifying outweighed the risks of notifying. So we made the decision to notify based on an analysis of the relationship before we even got to a legal analysis of the requirement to notify.

    We notified everyone by email; from a send of about 50,000, we got about 100-120 responses. I answered every one personally, and occasionally our CIO was brought in for a few closer relationships. Most were emails, probably 20 phone calls.

    We then notified everyone who did not have an email but did have a mailing address. In this group were some friends and former employees (ah, old database conversions where you don't know exactly who's in there amongst the non-donors...). From a mailing of about 12,000, I took another 20 calls/emails.

    Most of the calls were very cordial, either wanting to understand the incident further or wanting to understand if there was some action they should take. A very small number (currently at 21) requested total removal from the database. We scrambled to make a plan, but we are comfortable removing all name and address and phone and email from the database, using a code (e.g. 2020BreachAnonymous1, 2, 3, etc) in place of the name, and then moving the name information to a locked fireproof safe on paper. This maintains our audit trail for those few former donors who requested full removal.

    Your situation is very different as a former client of Blackbaud, so your analysis may lead to a very different outcome. I'm happy to chat or correspond privately if that would help. 


    Faith Danforth
    Executive Director Advancement Strategy & Operatio
    Willamette University

  • 3.  RE: Blackbaud Security Incident - FORMER Researchpoint clients

    Posted 08-24-2020 11:39 AM
    Faith, I want to applaud the proactive approach you and Willamette took - regardless of any legal requirement.


    John H. Taylor
    John H. Taylor Consulting, LLC
    2604 Sevier St.
    Durham, NC   27705
    919.816.5903 (cell/text)

    Serving the Advancement Community Since 1987

  • 4.  RE: Blackbaud Security Incident - FORMER Researchpoint clients

    Posted 08-24-2020 12:16 PM
    Thanks Faith! Great info!

  • 5.  RE: Blackbaud Security Incident - FORMER Researchpoint clients

    Posted 08-25-2020 10:01 AM

    Thomas - 

    We at GT only had one small set of information that was in the product.  It was screening data for incoming freshman parents for the last several years.  The data we put into the instance was only demographic data (name and address) and contained no identity info (birthdate/ssn/etc.).

    We posted a link on our main website linking to a news article that discussed that we were affected and how we were affected.  You can see that article here:  We left the link on our main web site for 10 days.

    Answers to your specific questions:

    1) None
    2) 0
    3) AVP Development Services
    4) No.  We are still a customer (Azure/CRM) and not prepared to strain that relationship given the minimal impact we had.


    Mark Sanders
    Director of Development Information Systems
    Georgia Tech