Blair Academy

On December 9, 2020, the Maine Office of the Attorney General disclosed a data breach affecting Blair Academy, stemming from an external cyberattack on Blackbaud, a third-party vendor. The breach, which occurred on May 20, 2020, compromised sensitive personal information of 4,773 individuals, including 13 Maine residents. The exposed data included names, addresses, and Social Security numbers highly sensitive details that pose significant risks of identity theft, financial fraud, and long-term reputational harm. The incident was attributed to hacking, where unauthorized actors exploited vulnerabilities in Blackbaud’s systems, leading to unauthorized access and exfiltration of data. While the breach did not involve ransomware, the scale and nature of the leaked information particularly Social Security numbers elevate the severity due to the potential for severe financial and personal consequences for affected individuals. The breach underscores vulnerabilities in third-party vendor security, raising concerns about supply chain risks and the adequacy of data protection measures in place at the time.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/cd0b613b-3678-4073-bc99-bf774398f08d.shtml

TPRM report: https://www.rankiteo.com/company/the-blair-academy

"id": "the728082025",
"linkid": "the-blair-academy",
"type": "Breach",
"date": "5/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '4,773 (including 13 Maine '
                                              'residents)',
                        'industry': 'Education',
                        'name': 'Blair Academy',
                        'type': 'Educational Institution'},
                       {'industry': 'Software/Cloud Services',
                        'name': 'Blackbaud',
                        'type': 'Third-Party Vendor'}],
 'attack_vector': 'Third-Party Vendor Compromise (Hacking)',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '4,773',
                 'personally_identifiable_information': ['Names',
                                                         'Addresses',
                                                         'Social Security '
                                                         'Numbers'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_detected': '2020-05-20',
 'date_publicly_disclosed': '2020-12-09',
 'description': 'The Maine Office of the Attorney General reported a data '
                'breach involving Blair Academy on December 9, 2020. The '
                'breach occurred on May 20, 2020, and resulted from an '
                'external system breach (hacking) at a third-party vendor, '
                'Blackbaud, impacting 4,773 individuals, including 13 Maine '
                'residents. The compromised information included names, '
                'addresses, and Social Security numbers.',
 'impact': {'data_compromised': ['Names',
                                 'Addresses',
                                 'Social Security Numbers'],
            'identity_theft_risk': 'High (PII including SSNs exposed)'},
 'references': [{'date_accessed': '2020-12-09',
                 'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Maine Office of the '
                                                       'Attorney General'},
 'response': {'communication_strategy': 'Public disclosure via Maine Office of '
                                        'the Attorney General'},
 'title': 'Blair Academy Data Breach via Blackbaud Third-Party Vendor',
 'type': 'Data Breach'}