Blackbaud Hack: Aberystwyth University’s Data Attacked in Global Hack

Posted on the 25 July 2020 by Thiruvenkatam Chinnagounder @tipsclear

A Welsh university confirmed that it was one of over 20 institutions in the United Kingdom, the United States and Canada that was affected after hackers attacked a cloud computing provider.

Aberystwyth University reassured current students and alumni that "bank account details or credit card details were not detected" during the attack.

The hack targeted Blackbaud, which is a leading provider of software for the management and financial administration of education.

The ransomware attack occurred in May.

Aberystwyth University is "investigating urgently" after confirming the hack "concerned an alumni and a university supporters web portal and information management system".

Blackbaud, a U.S.-based company, has been criticized for failing to disclose its systems externally until July and for paying hackers an undisclosed ransom.

In some of the attacks on other universities, the data was limited to that of former students, who were asked to financially support the institutions from which they graduated. But in others it has extended to staff, existing students and other supporters.

'Assurances'

About 10,000 students study annually at the 148-year-old institution of Central Wales and the university said it had reassurance that "the stolen data has now been destroyed and there is no reason to believe it has been misused. ".

"Blackbaud assured that no bank account or credit card details were disclosed," said a university spokesman.

"We take data security very seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.

"We are contacting the users of the online portal and the recipients of our alumni and the electronic newsletters of supporters that we believe may have been affected."

The university reported the violation to the information commissioner's office and said it will "fully cooperate with any further steps it wishes to take."

Other institutions have been affected including the University of York, Loughborough University, the University of London and Oxford University College.

"Ransom note paid"

Blackbaud, whose headquarters are located in South Carolina, refused to provide a complete list of those affected, saying he wanted to "respect the privacy of our customers."

"Most of our customers were not part of this incident," said the company.

He told the BBC a statement on his website: "In May 2020, we discovered and stopped a ransomware attack. Before blocking the cyber criminal, the cyber criminal removed a copy of a subset of data from ourselves - hosted environment ".

The statement continues by saying that Blackbaud paid the ransom note. This is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, the ANC and Europol.

Blackbaud added that he had been given "confirmation that the copy [of data] removed had been destroyed. "

Blackbaud said he collaborated with law enforcement and third-party investigators to monitor whether the data is being disseminated or sold on the dark web, for example.

Privacy Act

Pursuant to the General Data Protection Regulation (GDPR), companies must report a significant violation to the data authorities within 72 hours of learning an accident or risk fines.

The UK Information Commissioner's office [ICO], as well as the Canadian data authorities, were informed of the breach last weekend, weeks after Blackbaud discovered the hacking.

An ICO spokesman said: "Blackbaud has reported to the ICO an incident that affected multiple data controllers. We will ask both Blackbaud and their respective managers questions and encourage all interested controllers to consider whether they should report the incident to the ICO individually ".