The National Trust of the United Kingdom is among the over 80 organizations that have confirmed data breaches resulting from an attack on the cloud computing provider Blackbaud.
Other people involved include homeless charities, The Wallich and Crisis, the Sue Ryder charity for terminal illnesses and the Young Minds mental health group.
Dozens of British universities have also alerted past and present students.
Museums, schools, churches and food banks were also affected.
The UK Information Commissioner’s Office (ICO) has said it is investigating the matter and is therefore limited in what it can say right now.
The National Trust said data on its volunteer and fundraising communities were involved, but not on its 5.6 million larger members.
The organization – which deals with historic buildings and gardens – added that an internal investigation was underway to assess whether further action was needed.
“We are currently identifying and informing those affected,” said Jon Townsend, Chief Information Officer of the trust.
“We reported the incident to the UK data protection regulator, the information commissioner’s office and the charity commission.”
Newcastle University was another entity that publicly disclosed after being contacted by the BBC.
“We were informed of a security incident involving a service provider we use, Blackbaud, one of the world’s largest ex-student database software providers,” said a spokesman.
“We apologize for any concern or inconvenience caused … and have started a security review.”
Blackbaud said he realized the matter in May, and subsequently paid the attackers a ransom. However, this month it warned its customers of the violation, which is why notifications are only now sent to members of the public.
Some of them specifically mention two of Blackbaud’s platforms – Raiser’s Edge and NetCommunity – which are commonly used to track donors and the amounts they have given.
Blackbaud said the data does not include bank account details or payment card details.
But a source told the BBC that in some cases it involved donor details, including:
- names, ages and addresses
- car license details
- the employers
- estimated wealth and identified assets
- total number and value of donations passed to the organization in question
- wider history of philanthropic and political gifts
- identity of spouses and past gifts
- probability of making a legacy triggered by their death
Although Blackbaud claimed that cybercriminals had provided confirmation that the stolen data had been destroyed, an expert wondered if this guarantee could be trusted.
“Hackers would know that these people have a propensity to support good causes,” commented Pat Walshe of the consultancy firm Privacy Matters.
This would be valuable information for scammers, he added, who could use it to trick victims into thinking that they were making additional donations when they actually gave their payment card details.
Mr. Walshe also questioned the existence of a breach of the GDPR’s privacy law, which requires that significant personal data breaches be reported to regulators within 72 hours of discovery.
Blackbaud said that “we were working closely with law enforcement and other specialists at all times.”
However, neither it nor the ICO have yet revealed when the UK watchdog was notified.
Blackbaud declined to name or number the organizations concerned, besides saying that it is a “subset” of its thousands of customers.
However, the BBC identified some of these by contacting them directly and tracking down online warnings of security breaches.
The problem is so prevalent across the higher education sector that some universities have posted notices saying that their data was not involved.
Some schools have been affected, including St Albans in Hertfordshire and ACS International, which teaches children in London, Surrey and Qatar.
In addition, Maccabi GB – an organization that provides services to 44 Jewish primary and secondary schools – told supporters that their data was among the compromised ones.
In addition to the United Kingdom, the Central European Hungarian university is among those that have confirmed their involvement.
But the other international organizations confirmed by the BBC have all been based in the United States and Canada.
They include several cancer charities, human rights campaigns, public radio stations and religious groups, as well as schools, colleges and universities.
Who confirmed that they had been hacked?
Educational institutions of the United Kingdom:
- Aberystwyth University
- ACS international schools
- Aston University, Birmingham
- Brasenose College, Oxford University
- Brunel University, London
- De Montfort University
- Heriot-Watt University, Edinburgh
- Hughes Hall College, Cambridge University
- King’s College, London
- Loughborough University
- Oxford Brookes University
- Robert Gordon University
- Selwyn College, Cambridge University
- St Albans School, Hertfordshire
- University of Sheffield Hallam
- Staffordshire University
- University College, Oxford
- Aberdeen University
- University of Birmingham
- Bristol University
- Durham University
- University of Exeter
- Glasgow University
- University of Leeds
- University of London
- Manchester University
- Newcastle University
- Northampton University
- University of Reading incl Henley Business School
- Strathclyde University
- University of South Wales
- University of Sussex
- University of York
Other UK nonprofits:
- Action on addiction
- Breast cancer now
- Chorus with no name
- Maccabi GB
- Sue Ryder
- The National Trust
- The Urology Foundation
- The Wallich
- Young Minds
- Alpha USA charity
- University of Ambrose, Alberta
- American Civil Liberties Union (ACLU), New York
- Bentley University, Massachusetts
- Delaware boys and girls clubs
- Cancer Research Institute, New York
- Catholic charity of St. Paul and Minneapolis
- Central European University, Budapest
- Cheverus High School, Portland
- Coastal Maine Botanical Gardens
- Darlington School, Georgia
- University of Des Moines
- Diocese of Gaylord, Michigan
- Emerson College, Boston
- First place for young people, California
- Foodbank of Central and Eastern North Carolina
- Hennepin Healthcare Foundation, Minnesota
- Human Rights First, New York
- Human Rights Watch, New York
- Institute for Human Services, Charleston
- Kent Denver School, Colorado
- Kids Quest Children’s Museum, Bellevue
- Louisiana Tech University Foundation
- Mennonite Economic Development Associates (Mena), Waterloo
- Middlebury College, Vermont
- New College of Florida
- New Hampshire Public Radio
- Project for the rights of north-western immigrants
- Open Space Institute, New York
- Rhode Island Design School
- Parish of St. Ignatius of Loyola, New York
- St Mary’s College of Maryland Foundation
- Foundation of the San Diego public library
- Springfield Museums, Massachusetts
- The Bishop Strachan School, Toronto
- University of Dayton
- University of North Florida
- University of Western Ontario
- Urban School, San Francisco
- Ventura College Foundation, California
- Vermont Foodbank
- Public Vermont radio
- University of West Virginia
- Worcester State University, Massachusetts