07 August 2020

Cybercriminals obtained data belonging to universities, charities and other UK institutions following a ransomware attack on US cloud computing provider Blackbaud.

The South Carolina-based firm was held to ransom by hackers in May and paid an undisclosed ransom to cyber-criminals. However, the world’s largest provider of education administration, fundraising and financial management software did not reveal the scale of the breach.

Blackbaud has also been criticised after taking weeks to warn victims that data had been stolen.

In some cases, the personal details were limited to those of ex-students, who had been asked to financially support the establishments from which they had graduated. However, in other cases, it extended to staff, existing students and other supporters.

Some of the universities confirmed to have been affected include University of Birmingham, De Montfort University, Oxford Brookes University and University College, Oxford. The UK’s National Trust as well as homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, as well as the mental health group Young Minds also make up the growing list.

However, the hack has not been limited to universities and charities. Some schools have also been affected, including St Albans in Hertfordshire, Radley College in Abingdon and St Aloysius in Glasgow.

ACS International, commonly known as “the American School” in London and Surrey also said there was a low-threat to its “alumni’s and friends’ information”.

In addition, Maccabi GB – an organisation that provides services to 44 Jewish primary and secondary schools – said its data was among the compromised.

All the institutions that were affected are sending letters and emails apologising to those on the compromised databases.

In some cases, the stolen data included phone numbers, donation history and events attended. However, credit card and other payment details do not appear to have been exposed.

Andrea Babbs, head of sales UK and Ireland at security solutions vendor Vipre told Networking+ that the Blackbaud ransom attack demonstrates the importance of a layered approach to IT security and more specifically, powerful email security both in SMEs and larger organisations. “The consequences of Blackbaud deciding to pay out a ransom to protect sensitive data highlights the threat and damage that can be caused by not having the correct IT security infrastructure in place,” she said. “With numerous universities and charities affected by the Blackbaud attack, the fact that personal details such as customer names and contact information was compromised and held to ransom by cybercriminals, showcases that even highly regulated industries can have vulnerabilities in their security processes. As with all data breaches, students, staff and supporters could now be left wondering how they can trust their educational facilities with personal information in the aftermath of this data protection failure.”  

Blackbaud insisted that “the majority of our customers were not part of this incident”. It said in a statement that once the hackers had been paid, they had given “confirmation that the copy [of data] they removed had been destroyed.”

Questions are also being asked about why Blackbaud took weeks to inform its customers of the hack. Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident or risk potential fines.

A spokesman from the UK’s National Cyber Security Centre said: “We are aware of this incident and are supporting partners in the UK and internationally in response. We would urge all organisations to read our guidance on how to defend themselves against malware and ransomware attacks.”

The UK’s Information Commissioner’s Office (ICO) said that 125 organisations had reported to it in relation to the incident “so far” when Networking+ went to press.