At least six British universities were targeted in Blackbaud ransomware attack
At least seven higher education institutions in the UK have been hit in a global ransomware attack targeting US-based cloud computing provider Blackbaud.
Blackbaud’s systems were hacked in May, but the incident was not publicly disclosed until 16th July.
According to the BBC, the institutions that were affected in the cyber attack include:
- University of York
- University of London
- University of Leeds
- University of Reading
- Oxford Brookes University
- University College, Oxford
- Loughborough University
- Ambrose University in Alberta, Canada
- Young Minds
- Human Rights Watch
- Rhode Island School of Design in the US
In a statement on its website, Blackbaud revealed that it had paid an undisclosed ransom to hackers after being promised that the data stolen from the Blackbaud’s systems would be destroyed.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” the company said.
“Based on the nature of the incident, our research and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” it added.
No bank account details, credit card details or social security numbers of any individual were accessed by hackers, according to the company.
— Kevin Beaumont (@GossiTheDog) July 23, 2020
According to BBC, the hackers were able to steal names, gender, contact information, email address and donation history in some cases.
Some affected institutions, including the University of London, University of York, Oxford Brookes and Ambrose University have written to their former students, faculty and donors about the security incident warning them that their data may have been compromised in the breach.
In a statement, the University of York said that university officials were “working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.”
The university said it has informed Information Commissioner Office (ICO) about the incident and was “awaiting further guidance”.
The ICO said: “People have the right to expect that organisations will handle their personal information securely and responsibly.”
“The University of York has reported an incident to us, and we will be making inquiries.”
But, this is not the first incident in which British universities have been targeted in cyber attacks.
In 2018, a group of Iranian hackers attempted to hack into the systems of 18 or more UK universities in a campaign that lasted for several months and successfully penetrated the defences of at least one target.
The hackers tried to phish people with university log-ins in an attempt to learn their passwords. To make the emails look genuine, the group created several fake websites that looked similar to the originals.