Over 20 charities and universities based in the UK, Canada, and the USA, including Oxford’s University College, have now confirmed they have fallen victim to a data breach, after their software provider Blackbaud was hacked.

Internationally recognised as the largest supplier for educational administration, financial management and fundraising software, Blackbaud has not yet revealed the extent of the data breach. However, it has disclosed that cybercriminals held the cloud service company to ransom in May, and that it made the decision to pay the unconfirmed amount requested.

Appropriate action after a data breach

Blackbaud has come under fire after only warning victims many weeks after the incident took place that their private data had been taken. While in some instances, the Personally Identifiable Information (PII) exposed was limited to former graduates who the institutions had asked for financial support, in other cases, the personal data exposed extended to existing students, supporters, and staff.

Under the General Data Protection Regulation (GDPR), enterprises are obliged to report any significant breaches to the designated data authorities inside of 72 hours after identifying an incident or they will incur expensive penalties.

Educational institutions confirmed to have been impacted were listed in a recent report by the BBC. UK Universities in Leeds, London, Birmingham, York, Exeter, Strathclyde, Reading, and Oxford were affected, while North American colleges and universities in Florida, Vermont and Alberta also suffered a breach, among others. Several charities were also affected, including Young Minds and Human Rights Watch.

Now notified, the institutions are currently sending out communications via email and letter, apologising to individuals whose personal information was exposed on the compromised databases.

A plethora of PII exposed

At some of the establishments affected, stolen data comprised of personal phone numbers, events attended and even donation history, although credit card payment details appear to have avoided exposure.

A spokesperson for the UK’s National Cyber Security Centre (NCSC) said:

“We are aware of this incident and are supporting partners in the UK and internationally in response. We would urge all organisations to read our guidance on how to defend themselves against malware and ransomware attacks.”

In a recent statement via its website, Blackbaud insisted that:

“In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment. The majority of our customers were not part of this incident.”

Against the official advice typically offered by multiple law enforcement agencies, such as NCA, Europol and the FBI, Blackbaud chose to concede to the ransom demands and pay the hackers responsible.

In return for an undisclosed sum, the software supplier was given evidence that the copy of the database taken had been destroyed. Cybersecurity professionals have commented that the move to make payment following a ransom attack is worrying, as it can arguably encourage future attacks and ultimately cannot negate the fact that personal information has been compromised.