Blackbaud Hack: Additional UK Universities Confirmed In Breach

Reading Time: 5 minutes

Blackbaud, a US-based software supplier for education administration, fundraising and financial management needs had been the victim of a ransomware attack in May of 2020.

We recently became aware of an additional 10 Universities that had Alumni, Current Students and Faculty compromised.

Huh? What Happened With Blackbaud and Ransomware?

In May of 2020, Blackbaud had learned of an intrusion on their network and contacted local law enforcement and independent forensic experts to work in conjunction with Blackbaud’s own security team.

A Blackbaud spokesperson advised that the teams were able to prevent the blocking of system access for users and fully encrypting files.

As the records show, the first indications that something was amiss came from the confirmation of malicious code running within the Blackbaud internal network.

The internal security team stopped this threat which progressed the attack to encrypting data and demanding a ransom.

Blackbaud had declined to disclose the amount paid, which data center was compromised initially or how many users are affected. The only main disclosure is that the ransom was paid and was paid through a Bitcoin transaction.

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cyber criminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cyber criminal, and we only paid the ransom when we received credible confirmation that the data was destroyed,” the spokesperson said.

“As a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” she said.

Blackbaud spokesperson

Officials said they have confirmation that the stolen data was destroyed after the ransom was paid. “We have no reason to believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly,” the spokesperson said.

Don’t A Lot Of Companies Find Themselves In Similar Situations?

Blackbaud had caught criticism after paying the ransom and then taking multiple weeks to warn clients and potential victims that the data had been stolen.

Some of the stolen data contained specific information on donors, students and members including phone numbers, donation history and events attended.

Financial information including bank accounts, payment details, social security numbers or credit cards do not appear to be included in the breach.

“We are aware of this incident and are supporting partners in the UK and internationally in response. We would urge all organizations to read our guidance on how to defend themselves against malware and ransomware attacks.”

A spokesman from the UK’s National Cyber Security Centre

The South Carolina headquartered company, Blackbaud, urges that “the majority of our customers were not part of this incident”.

“In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.

Statement Issued From Blackbaud’s Website

More than 20 universities and charities in the UK, US and Canada have confirmed they are victims of the cyber-attack and more are being identified every week.

Blackbaud is not revealing the scale of the breach.

Dozens more charities and educational organizations may have been affected.

In some cases, the personal details were limited to those of former students, who had been asked to financially support the establishments from which they had graduated. But in other cases, it extended to staff, existing students and other supporters.

What Additional Universities and Charities Have Been Confirmed Compromised?

The following institutions the BBC has confirmed affected:

  • University of Birmingham
  • De Montfort University
  • University of Strathclyde
  • University of Exeter
  • University of York
  • Oxford Brookes University
  • Loughborough University
  • University of Leeds
  • University of London
  • University of Reading
  • University College, Oxford
  • Middlebury College, Vermont
  • West Virginia University
  • New College of Florida
  • Cheverus High School: Catholic High School Portland
  • The Bishop Strachan School, Canada
  • University of North Florida
  • Ambrose University, Alberta, Canada
  • Rhode Island School of Design, US

Other organizations, including charities, confirmed as affected are:

  • Choir with No Name
  • Vermont Foodbank
  • Vermont Public Radio
  • Northwest Immigrant Rights Project
  • Human Rights Watch
  • Young Minds

Hackers Were Paid

While the act of paying the ransom demand is not illegal, it does go agianst the advice of numerous law enforcement agencies including the FBI, NCA and Europol.

“It is worrying that the supplier paid the ransom as, arguably, this encourages future attacks and doesn’t overcome the fact that data has been compromised. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise,”

Cath Goulding, chief information security officer at cyber-security firm Nominet

While the exact number of those being sent notifications is unknown, alumni and students affected have expressed their concerns and feelings on Social Media regarding fears of cyber-criminals potential future attacks.

Privacy Law Violation?

One of the main reasons this attack has garnered so much attention, aside from the fact that those affected are of the age where social media and distribution of information is second nature – but – the potential implication so violation the law.

Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.

As the timeline has indicated – the first time that the UK’s Information Commissioner’s Office ( ICO ) as well as the Canadian Data Authorities was weeks after Blackbaud initially discovered the hack.

On the notice to its students, West Virginia University Foundation said it was “working with Blackbaud to understand why there was a delay between it finding the breach and notifying us, as well as what actions Blackbaud is taking to increase its security.”

It has not been confirmed or denied as to the extent the GDPR will be enforced in this situation.

Leave a Reply

Your email address will not be published. Required fields are marked *