At least six universities in the UK and Canada were stolen from student data after hackers attacked a cloud computing provider.
Human Rights Watch and the children’s mental health organization, Young Minds, also confirmed that they were affected.
The hack targeted Blackbaud, one of the world’s largest software providers for education administration, fundraising and financial management.
The U.S. company’s systems were breached in May.
He was criticized for not revealing it externally until July and for paying hackers an undisclosed ransom.
The institutions that the BBC confirmed have been affected are:
- University of York
- Oxford Brookes University
- University of Leeds
- University of London
- University of reading
- Ambrogio University in Alberta, Canada
- Human Rights Watch
- Young Minds
- Rhodes Island School of Design in the United States
All institutions send letters and emails to apologize to interested staff, students, alumni and donors.
In some cases, the stolen data included phone numbers, donation history and events they attended. The credit card and other payment details do not appear to have been exposed.
Blackbaud, whose headquarters are located in South Carolina, refused to provide a complete list of those affected, saying he wanted to “respect the privacy of our customers.”
“Most of our customers were not part of this incident,” said the company.
He told the BBC a statement on his website: “In May 2020, we discovered and stopped a ransomware attack. Before blocking the cyber criminal, the cyber criminal removed a copy of a subset of data from ourselves – hosted environment “.
The statement continues by saying that Blackbaud paid the ransom note. This is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, the ANC and Europol.
Blackbaud added that he had been given “confirmation that the copy [of data] removed had been destroyed. “
Several Blackbaud clients listed on its site have confirmed that they are not interested, including:
- Oxford University
- University College London
- Queen’s University Belfast
- University of Western Scotland
- Islamic relief
- Prevent breast cancer
“My main concern is how reassuring it is – in my opinion impossible – in my opinion, Blackbaud was at university about what hackers got,” commented Rhys Morgan, a cybersecurity specialist and former student of Reading University. which data was involved.
“They told my university that” there is no reason to believe that the stolen data has been or will be misused. ”
“I can’t be reassured by this at all. How can they know what attackers will do with this information?”
Blackbaud said he collaborated with law enforcement and third-party investigators to monitor whether the data is being disseminated or sold on the dark web, for example.
Barrister blogger Matthew Scott also received an email about hacking.
“I doubt my university has many details that aren’t easily available, but I’m more worried about giving in to the blackmail and cheerfully accepting the blackmailer’s word that all the data was destroyed,” he told the BBC.
Pursuant to the General Data Protection Regulation (GDPR), companies must report a significant violation to the data authorities within 72 hours of learning an accident or risk fines.
The UK Information Commissioner’s office [ICO], as well as the Canadian data authorities, were informed of the breach last weekend, weeks after Blackbaud discovered the hacking.
An ICO spokesman said: “Blackbaud has reported to the ICO an incident that affected multiple data controllers. We will ask both Blackbaud and their respective managers questions and encourage all interested controllers to consider whether they should report the incident to the ICO individually “.
The University of Leeds said in a statement: “We want to reassure our former students that since Blackbaud was informed of this incident, we have worked tirelessly to investigate what has happened in order to accurately inform those affected. No action is required from our community of alumni at this time, although, as always, we recommend that everyone remain vigilant. “