Back to Menu

LISTEN LIVE...
ACROSS THE NETWORK...



Blackbaud Hack: Universities lose data to ransomware attack


Posted: 23 Jul 20 - 18:45 BST by Kane

At least seven universities in the UK and Canada have had student data stolen after hackers attacked a cloud computing provider.


Human Rights Watch and the children's mental health charity, Young Minds, have also confirmed they were affected.

The hack targeted Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software.

The US-based company's systems were hacked in May.

It has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.

In some cases, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.

The institutions the BBC has confirmed have been affected are:

  • University of York
  • Oxford Brookes University
  • Loughborough University
  • University of Leeds
  • University of London
  • University of Reading
  • Ambrose University in Alberta, Canada
  • Human Rights Watch
  • Young Minds
  • Rhode Island School of Design in the US


All the institutions are sending letters and emails apologising to those on the compromised databases.

In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed.

Blackbaud, whose headquarters are based in South Carolina, declined to provide a complete lists of those impacted, saying it wanted to "respect the privacy of our customers".

"The majority of our customers were not part of this incident," the company claimed.

It referred the BBC to a statement on its website: "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

The statement goes on to say Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.

Blackbaud added that it had been given "confirmation that the copy [of data] they removed had been destroyed".