Magazine

Blackbaud Hack: More UK Universities Confirm Breach

Posted on the 24 July 2020 by Thiruvenkatam Chinnagounder @tipsclear

Blackbaud hack: More UK universities confirm breach

Blackbaud hack: More UK universities confirm breach

More than 20 universities and charities in the United Kingdom, the United States and Canada have confirmed that they are victims of a cyber attack that has compromised a software provider.

Blackbaud was held hostage by hackers in May and paid an undisclosed ransom to cybercriminals.

The U.S.-based company is the world's largest provider of education administration, fundraising and financial management software.

Blackbaud is not revealing the extent of the violation.

Dozens of other charities and educational organizations may have been affected.

The cloud services company is facing criticism after taking weeks to warn victims that the data had been stolen.

In some cases, personal details were limited to those of the former students, who were asked to financially support the institutions from which they graduated. But in other cases, it has extended to staff, existing students and other supporters.

The institutions that the BBC confirmed have been affected are:

  • De Montfort University
  • Strathclyde University
  • University of Exeter
  • University of York
  • Oxford Brookes University
  • Loughborough University
  • University of Leeds
  • University of London
  • University of reading
  • University College, Oxford
  • Middlebury College, Vermont
  • University of West Virginia
  • New College of Florida
  • Cheverus High School: Catholic High School Portland
  • The Bishop Strachan School, Canada
  • University of North Florida
  • Ambrose University, Alberta, Canada
  • Rhode Island School of Design, United States

Other organizations, including charities, confirmed as interested are:

  • Chorus with no name
  • Vermont Foodbank
  • Public Vermont radio
  • Project for the rights of north-western immigrants
  • Human Rights Watch
  • Young Minds

All institutions send letters and emails to apologize to those in compromised databases.

In some cases, the stolen data included phone numbers, donation history and events they attended. The credit card and other payment details do not appear to have been exposed.

A spokesman for the UK's National Cyber ​​Security Center said: "We are aware of this incident and are supporting partners in the UK and internationally in response. We urge all organizations to read our directions on how to defend against attacks. malware and ransomware. "

Blackbaud, whose headquarters are located in South Carolina, insists that "most of our customers were not part of this incident."

He told the BBC a statement on his website: "In May 2020, we discovered and stopped a ransomware attack. Before blocking the cyber criminal, the cyber criminal removed a copy of a subset of data from ourselves - hosted environment ".

I paid the hackers

The statement continues by saying that Blackbaud paid the ransom note. This is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, the ANC and Europol.

Blackbaud said that once the hackers had been paid, they had given "confirmation that the copy [of data] removed had been destroyed. "

"It is worrying that the vendor paid the ransom since it probably encourages future attacks and does not outweigh the fact that the data has been compromised. This demonstrates the multiplier effect of supply chain hacks and reinforces advice that Security should be a collaborative exercise, "said Cath Goulding, information security officer at the cyber security firm Nominet.

It's unclear how many people have been sent notifications, but some interested alumni and students have expressed concern about social media and the BBC that they are now concerned that cyber criminals are true to their word.

Privacy Act

Questions are asked as to why Blackbaud took weeks to inform its customers of the hacking.

Pursuant to the General Data Protection Regulation (GDPR), companies must report a significant violation to the data authorities within 72 hours of learning an accident or risk fines.

The UK Information Commissioner's office [ICO], as well as the Canadian data authorities, were informed of the breach last weekend, weeks after Blackbaud discovered the hacking.

In the notice to its students, the West Virginia University Foundation stated that "it was working with Blackbaud to understand why there was a delay between the search for the violation and the notification to us, as well as the actions taken by Blackbaud to increase its security" .

One of the affected institutions told the BBC that the hacker is hitting a product called NetCommunity which Blackbaud describes on its website as a "system of managing and engaging former students for nonprofits".


Back to Featured Articles on Logo Paperblog