At least 10 universities in the UK, USA and Canada have confirmed they were victims of a ransomware attack in May.
The institutions had data stolen about students and/or alumni after hackers attacked Blackbaud, a provider of education administration, fundraising and financial management software.
Human Rights Watch and Young Minds, a children’s mental health charity, have also confirmed that they were affected by the attack.
Confirmed victims of the attack in the UK include the Universities of York, Oxford Brookes, Loughborough, Leeds, London, Reading, Exeter and University College, Oxford. The Rhode Island School of Design in America, and Ambrose University in Canada, were also affected.
In some cases, the data was that of alumni who had been asked to financially support their university. In other cases, it extended to staff, current students and other supporters, with the stolen data including phone numbers and events attended.
All of these institutions are sending letters and emails of apology to those on the compromised databases.
Other Blackbaud clients, including University College London and Queen’s University Belfast, have confirmed that they were not affected by the attack.
In a statement on its website, Blackbaud wrote: “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.
“The cyber-criminal did not access credit card information, bank account information, or social security numbers.
“Because protecting our customers’ data is our top priority, we paid the cyber-criminal’s demand with confirmation that the copy they removed had been destroyed.
I doubt that my university has many details that aren’t pretty easily available, but I am more concerned about giving in to the blackmail and blithely accepting the word of the blackmailer that all the data has now been destroyed
– Matthew Scott
“Based on the nature of the incident our research, and third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
It is not illegal to pay a ransom demand, but it goes against the advice of major law enforcement agencies, including the FBI and Europol.
Blackbaud has come under fire for a delay in informing the UK’s Information Commissioner’s Office and Canadian data authorities about the attack. Under General Data Protection Regulation (GDPR), companies must report a breach of this magnitude within 72 hours, or face potential fines.
In this case, the attack happened in May, but victims were not informed until 16 July.
Rhys Morgan, a cyber-security specialist and former Oxford Brookes student, said: “My main concern is how reassuring – impossibly so, in my opinion – Blackbaud were to the university about what the hackers have obtained.
“They told my university that there is ‘no reason to believe that the stolen data was or will be misused’.
“I can’t feel reassured by this at all. How can they possibly know what the attackers will do with that information?”
Matthew Scott, a barrister and blogger, said: “I doubt that my university has many details that aren’t pretty easily available, but I am more concerned about giving in to the blackmail and blithely accepting the word of the blackmailer that all the data has now been destroyed.”
Blackbaud has now said it is working with law enforcement and other investigators to monitor whether the data is being circulated or sold on the dark web.