A Welsh university has confirmed that it is one of more than 20 institutions in the UK, US and Canada that has been hit after hackers attacked a cloud computing provider.
Aberystwyth University reassured current students and alumni that “no bank account or credit card was seized” during the attack.
The hack targeted Blackbaud, which is a leading provider of financial management and education administration software.
The ransomware attack took place in May.
Aberystwyth University is “urgently investigating” after confirming that the hack “affected a web portal and information management system for former students and supporters”.
Blackbaud, a US-based company, has come under fire for not disclosing the hack of its systems outside until July and for paying hackers an undisclosed ransom.
In some of the attacks on other universities, data was limited to that of former students, who had been asked to financially support the institutions from which they had graduated. But in others, it has spread to staff, existing students and other supporters.
About 10,000 students study at the 148-year-old institution in Central Wales each year and the university said it was reassured that “the stolen data has now been destroyed and is had no reason to believe that they had been misused ”.
“Blackbaud has offered assurances that no bank account or credit card details have been entered,” a spokesperson for the university said.
“We take data security very seriously. We are urgently investigating this incident and awaiting further details from Blackbaud.
“We are in the process of reaching out to users of the online portal and e-newsletter recipients of alumni and supporters who we believe have been affected. “
The university reported the breach to the Information Commissioner’s office and said it “will cooperate fully with any further action it wishes to take.”
Other institutions have also been affected, including York University, Loughborough University, University of London and University College Oxford.
“Ransom demand paid” closes
Blackbaud, which is headquartered in South Carolina, declined to provide a full list of those affected, saying it wants to “respect the privacy of our customers.”
“The majority of our customers were not part of this incident,” the company said.
He referred the BBC to a statement on its website: “In May 2020, we discovered and stopped a ransomware attack. Before locking the cybercriminal, the cybercriminal deleted a copy of a subset of data of ourselves. -hosted environment. ”
The statement goes on to say that Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of many law enforcement agencies, including the FBI, NCA and Europol.
Blackbaud added that he had received “confirmation that the copy [of data] they removed had been destroyed ”.
Blackbaud said it is working with law enforcement and third-party investigators to monitor whether data is being disseminated or sold on the dark web, for example.
Under the General Data Protection Regulation (GDPR), businesses must report a material breach to data authorities within 72 hours of becoming aware of an incident – or face potential fines.
United Kingdom Information Commissioner’s Office [ICO], as well as Canadian data authorities, were notified of the breach last weekend – weeks after Blackbaud discovered the hack.
An ICO spokesperson said: “Blackbaud has reported an incident affecting multiple data controllers at the ICO. We will inform both Blackbaud and the respective controllers, and encourage all relevant controllers to assess whether they should report the incident individually to the ICO. . “