CRM solutions provider Blackbaud has confirmed that hackers, who carried out a successful ransomware attack in May, also accessed the bank account information, social security numbers, and usernames and passwords belonging to some of its clients.
In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, Blackbaud, among the world's largest providers of alumni database software, said that after completing a forensic investigation into the security incident, it has determined that hackers gained access to more data records than initially believed.
"After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.
"In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support," the firm said.
"We expect our Security Incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate," it added.
In July, the Information Commissioner's Office told BBC that the ransomware attack targeting Blackbaud had impacted at least 125 organisations in the UK, including the National Trust, Newcastle University, De Montfort University, King’s College London (KCL), mental health charity Young Minds, terminal illness charity Sue Ryder, and homeless charity Crisis.
The list of affected universities includes the University of York, University of Exeter, University of Leeds, University of London, University of Reading, University College, Oxford, Oxford Brookes University, Loughborough University, Ambrose University in Alberta, Canada, and Rhode Island School of Design in the US.
Bletchley Park, the iconic museum that served as the home for Britain's elite code-breakers and the Government Code and Cypher School (GC&CS) during the Second World War, was also affected by the ransomware attack with hackers accessing the personal information of trustees and donors.
"This breach involved records containing personal information, which may include one or more data fields such as names, titles, dates of birth, email addresses, donation history, mailing or e-newsletter list preference, event attendance or membership, depending on data subjects’ engagement with the Bletchley Park Trust.
"The Blackbaud Cyber Security team, along with independent forensics experts and law enforcement agencies, successfully stopped the attack and secured the destruction of any data held by the cybercriminal. Blackbaud has informed us that it has no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom," the Bletchley Park Trust said.