Metairie Park Country Day School (MPCDS) suffered a ransomware attack via its third-party vendor, Blackbaud, between February 7, 2020, and May 20, 2020. The incident exposed sensitive personal data of approximately 2,920 individuals, including two Maine residents whose names and taxpayer identification numbers (TINs) were potentially compromised. The breach was disclosed to affected parties via written notice on November 18, 2020. The attack targeted Blackbaud’s systems, which stored MPCDS’s donor, alumni, and student records. While the school relied on Blackbaud’s services, the ransomware encryption led to unauthorized access to confidential information. Although Blackbaud claimed to have contained the attack and paid the ransom to prevent further data leakage, the exposure of taxpayer IDs a critical identifier for financial and identity fraud posed significant risks. The delayed notification (over six months after discovery) further exacerbated concerns over transparency and mitigation efforts. The incident highlights vulnerabilities in third-party vendor security, particularly in educational institutions handling sensitive financial and personal data. The compromised taxpayer identification numbers could enable identity theft, fraudulent tax filings, or financial scams, making this a high-stakes data breach with long-term repercussions for affected individuals.
TPRM report: https://www.rankiteo.com/company/jpschools
"id": "jps220090325",
"linkid": "jpschools",
"type": "Ransomware",
"date": "2/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '2,920 individuals (including 2 '
'Maine residents)',
'industry': 'education',
'location': 'Metairie, Louisiana (affecting 2 Maine '
'residents)',
'name': 'Metairie Park Country Day School (MPCDS)',
'type': 'educational institution'},
{'industry': 'technology/services',
'name': 'Blackbaud',
'type': 'third-party vendor'}],
'customer_advisories': 'Written notice provided to affected individuals on '
'November 18, 2020',
'data_breach': {'number_of_records_exposed': '2,920',
'personally_identifiable_information': ['names',
'taxpayer '
'identification '
'numbers'],
'sensitivity_of_data': 'high (includes taxpayer '
'identification numbers)',
'type_of_data_compromised': ['personally identifiable '
'information (PII)']},
'date_publicly_disclosed': '2020-11-18',
'description': 'The Maine Office of the Attorney General reported that '
'Metairie Park Country Day School (MPCDS) experienced a '
'ransomware incident involving their third-party vendor '
'Blackbaud, which occurred between February 7, 2020, and May '
'20, 2020. Approximately 2,920 individuals were affected, '
'including 2 Maine residents whose names and taxpayer '
'identification numbers were potentially exposed. Written '
'notice was provided to those impacted on November 18, 2020.',
'impact': {'data_compromised': ['names', 'taxpayer identification numbers'],
'identity_theft_risk': 'potential'},
'references': [{'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
'Attorney General'},
'response': {'communication_strategy': 'Written notice provided to affected '
'individuals on November 18, 2020'},
'title': 'Ransomware Incident at Metairie Park Country Day School via '
'Third-Party Vendor Blackbaud',
'type': 'ransomware'}