At least seven universities in the UK and Canada have had student data stolen after hackers attacked a cloud computing provider.
Human Rights Watch and children’s mental health charity Young Minds have also confirmed that they are affected.
The hack targeted Blackbaud, one of the world’s largest providers of education administration, fundraising and financial management software.
The American company’s systems were hacked in May.
He was criticized for not disclosing this to the outside world until July and for paying the hackers an undisclosed ransom.
The institutions that the BBC has confirmed have been affected are:
- York University
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- Ambrose University in Alberta, Canada
- Human Rights Watch
- Young minds
- Rhode Island School of Design in the United States
All institutions send letters and emails apologizing to affected staff, students, alumni and donors.
In some cases, the data stolen included phone numbers, donation history, and events attended. The credit card and other payment details do not appear to have been exposed.
Blackbaud, which is headquartered in South Carolina, declined to provide a full list of those affected, saying it wants to “respect the privacy of our customers.”
“The majority of our customers were not part of this incident,” the company said.
He referred the BBC to a statement on its website: “In May 2020, we discovered and stopped a ransomware attack. Before locking the cybercriminal, the cybercriminal deleted a copy of a subset of data of ourselves. -hosted environment. ”
The statement goes on to say that Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of many law enforcement agencies, including the FBI, NCA and Europol.
Blackbaud added that he had received “confirmation that the copy [of data] they removed had been destroyed ”.
Several Blackbaud customers listed on its site have confirmed that they are not affected, including:
- Oxford University
- University College de Londres
- Queen’s University of Belfast
- University of the West of Scotland
- Islamic relief
- Prevent breast cancer
“My main concern is how reassuring Blackbaud was – impossible in my opinion – to the university about what the hackers got,” commented Rhys Morgan, cybersecurity specialist and former University of Reading student. , whose data was involved.
“They told my university that there was ‘no reason to believe that the stolen data has been or will be misused.’
“I cannot feel reassured by this at all. How can they know what the attackers will do with this information?
Blackbaud said it is working with law enforcement and third-party investigators to monitor whether data is being disseminated or sold on the dark web, for example.
Lawyer blogger Matthew Scott also received an email about the hack.
“I doubt my university has many details that are not readily available enough, but I am more concerned about giving in to blackmail and blithely accepting the blackmailer’s note that all data has now been destroyed.” “He told the BBC. .
Under the General Data Protection Regulation (GDPR), businesses must report a material breach to data authorities within 72 hours of becoming aware of an incident – or face potential fines.
United Kingdom Information Commissioner’s Office [ICO], as well as Canadian data authorities, were notified of the breach last weekend – weeks after Blackbaud discovered the hack.
An ICO spokesperson said: “Blackbaud has reported an incident affecting multiple data controllers at the ICO. We will inform both Blackbaud and the respective controllers, and encourage all relevant controllers to assess whether they should report the incident individually to the ICO. . ”
The University of Leeds said in a statement: “We would like to reassure our alumni that since we were informed by Blackbaud of this incident, we are working around the clock to investigate what happened, in order to accurately inform those affected. No action is required by our alumni community at this time, although, as always, we recommend everyone to remain vigilant. “