New report has it that not less than 10 universities in the UK, US and Canada had lost their data about students and alumni after hackers were able to attack the schools’ computing provider according to the BBC. The Blackbaud ransomware hack is one of the biggest this year as more companies are being reportedly hacked during the COVID-19 pandemic.
Other bodies affected in the massive attack includes Human Right Watch and Children’s mental health charity organization called Young Minds.
Blackbaud was the main target which is one of the world largest provider of education administration, fundraising and financial management software. The company’s systems were hacked back in May. The company had however faced backlash for not quickly disclosing this information until July despite the company having paid for an undisclosed ransom.
In some cases, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
The institutions the BBC has confirmed have been affected are:
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
- Human Rights Watch
- Young Minds
- Rhode Island School of Design in the US
- University of Exeter
Soon, the affected institutions of the Blackbaud ransomware hack began sending apologies to their students and alumni who have been affected via email.
There were scenarios whereby the stolen data also included phone numbers, donation history as well as events the particular user attended. Credit card and other payment details doesn’t appear to have been compromised during the heist.
Blackbaud on the other hand sill declined to provide a complete list of the universities impacted by the ransomware attack stating they wanted to “respect the privacy of our customers.”
“The majority of our customers were not part of this incident,” the company claimed.
It referred the BBC to a statement on its website: “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”
The company furthered it’s statement by stating it paid the ransom demands which isn’t illegal but is usually against the advice of numerous law enforcement agencies such as the FBI, NCA and Europol.
Blackbaud added that it had been given “confirmation that the copy [of data] they removed had been destroyed”.
Several Blackbaud clients listed on its site have confirmed they were not affected, including:
- University College London
- Queen’s University Belfast
- University of the West of Scotland
- Islamic Relief
- Prevent Breast Cancer
“My main concern is how reassuring – impossibly so, in my opinion – Blackbaud were to the university about what the hackers have obtained,” commented Rhys Morgan, a cyber-security specialist and former student at Oxford Brookes University, whose data was involved.
“They told my university that there is ‘no reason to believe that the stolen data was or will be misused’.
“I can’t feel reassured by this at all. How can they possibly know what the attackers will do with that information?”
Blackbaud also said it is working with law enforcement agencies as well as third-party investigators to monitor the information being stolen aren’t being circulated or sold throughout the dark web.
Barrister blogger Matthew Scott was also sent an email about the hack.
“I doubt that my university has many details that aren’t pretty easily available, but I am more concerned about giving in to the blackmail and blithely accepting the word of the blackmailer that all the data has now been destroyed,” he told the BBC.
Blackbaud ransomware hack and Privacy law
There have been privacy law put in place to ensure user privacy safety such as the General Data Protection Regulation (GDPR) for example which states that companies must always report a significant breach to data authorities within 72 hours of learning of an incident or else they will face potential fines.
Meanwhile Blackbaud didn’t report it’s own case for weeks until this past week when it finally made it know to the UK Information Commissioner’s office (ICO) and the Canadian Data authorities.
An ICO spokeswoman said: “Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually.”
Leeds University said, in a statement: “We want to reassure our alumni that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected. No action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant.”
This is another big hack whereby more data theft is taking place around the world big time as Twitter recently got a number of big-time users’ account hacked on the platform with a US$100,000 worth of bitcoin were stolen through this process.