Dear TC Community,

We want to inform you about a data security breach involving a Teachers College (TC) vendor that may have compromised certain aspects of your demographic and philanthropic information.* The data that was compromised did NOT include social security numbers, credit card numbers, or bank account numbers.

The breach entailed a ransomware attack on specific data and servers of a software and services company called Blackbaud. Blackbaud’s Notice of Security Incident can be found here. TC is one of many impacted schools and nonprofit organizations that use Blackbaud’s software for engagement and fundraising activities. The incident occurred between February 7, 2020, and May 20, 2020. Blackbaud notified TC on July 16 of its discovery and investigation of the breach, provided us both with information on actions it took to resolve the problem, and with guidance on further safety precautions we might consider.

Teachers College takes the protection and proper use of your information very seriously and has been in direct contact with Blackbaud about this incident. Blackbaud has informed us that — based on the nature of the incident, on its own findings, and on third-party investigations, including those conducted by law enforcement — no stolen data was released, was or will be misused, or will be disseminated or otherwise made available publicly. As an extra precautionary measure, Blackbaud has contracted with a third-party team of experts to monitor the situation.

For more details on how to protect your personal information, please review TC’s information security site. It is also recommended that you immediately report any suspicious activity or suspected identity theft both to us and to law enforcement authorities.

We regret any inconvenience this may have caused you. We value your relationship with Teachers College, and encourage you to contact us directly if you have any questions or concerns at privacy@tc.columbia.edu.

Sincerely,

JoAnne Williams
Vice President for Finance and Administration

*To the extent that the data breach affects constituents residing in the UK or EU, please accept this letter as a notification pursuant to Article 33(2) of the General Data Protection Regulation (“GDPR”).