The Maine Office of the Attorney General disclosed a ransomware attack on Blackbaud, a third-party service provider, which indirectly impacted St. Lawrence University between February 7 and May 20, 2020. The breach exposed the personal and financial account information of 464 individuals, including three Maine residents, whose names and financial details were potentially compromised. While the attack targeted Blackbaud, St. Lawrence University was among the affected institutions whose data was held hostage. In response, the university offered complimentary one-year identity theft protection services via Experian IdentityWorks to mitigate risks for the affected individuals. The incident highlights vulnerabilities in third-party vendor security and the cascading risks of ransomware attacks on interconnected systems, where sensitive data including financial records can be exfiltrated or encrypted for extortion.
TPRM report: https://www.rankiteo.com/company/st-lawrence-university-ndop
"id": "st-541083025",
"linkid": "st-lawrence-university-ndop",
"type": "Ransomware",
"date": "2/2020",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '464 individuals (including 3 '
'Maine residents)',
'industry': 'Higher Education',
'location': 'Canton, New York, USA',
'name': 'St. Lawrence University',
'type': 'Educational Institution'},
{'industry': 'Cloud Computing / Nonprofit Software',
'name': 'Blackbaud',
'type': 'Third-party Service Provider'}],
'attack_vector': 'Third-party vendor (Blackbaud) compromise',
'customer_advisories': 'Complimentary identity theft protection services '
'offered to affected individuals',
'data_breach': {'data_exfiltration': 'Likely (ransomware attack context)',
'number_of_records_exposed': '464',
'personally_identifiable_information': 'Yes (names, financial '
'account information)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial account information']},
'date_detected': '2020-05-20',
'date_publicly_disclosed': '2020-11-25',
'description': 'The Maine Office of the Attorney General reported a data '
'breach involving St. Lawrence University on November 25, '
'2020. The breach occurred between February 7 and May 20, '
'2020, due to a ransomware attack on Blackbaud, affecting a '
'total of 464 individuals, including 3 Maine residents whose '
'names and financial account information were potentially '
'compromised. St. Lawrence University is providing affected '
'residents with a complimentary one-year membership to '
'identity theft protection services through Experian '
'IdentityWorks.',
'impact': {'brand_reputation_impact': 'Potential reputational harm due to '
'exposure of sensitive data',
'data_compromised': ['Names', 'Financial account information'],
'identity_theft_risk': 'High (financial account information '
'exposed)',
'payment_information_risk': 'Yes'},
'investigation_status': 'Disclosed; no further details provided',
'post_incident_analysis': {'root_causes': 'Third-party vendor (Blackbaud) '
'compromise via ransomware attack'},
'ransomware': {'data_encryption': 'Likely (ransomware attack)',
'data_exfiltration': 'Likely'},
'references': [{'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
'Attorney General'},
'response': {'communication_strategy': 'Public disclosure via Maine Office of '
'the Attorney General',
'incident_response_plan_activated': 'Likely (identity protection '
'services offered)',
'recovery_measures': 'Complimentary one-year membership to '
'Experian IdentityWorks for affected '
'individuals',
'third_party_assistance': 'Experian IdentityWorks (for identity '
'theft protection)'},
'title': 'St. Lawrence University Data Breach via Blackbaud Ransomware Attack',
'type': 'Data Breach (Ransomware)'}