The ransomware attack that targeted Blackbaud, among the world's largest providers of alumni database software, impacted at least 125 organisations in the UK, including a large number of schools, universities, and non-profits.
The ransomware attack, that forced Blackbaud to pay hackers to recover access to an encrypted database, first came to light last week when the University of York announced that a ransomware attack suffered by its CRM provider Blackbaud resulted in a cyber criminal stealing the personal information of its alumni, staff, and students.
By Friday, the 24th of July, it appeared that the ransomware attack not only resulted in the compromise of sensitive data belonging to the University of York, but also data belonging to several other universities located in the UK, the United States, and Canada.
The list of affected universities includes the University of York, University of Exeter, University of Leeds, University of London, University of Reading, University College, Oxford, Oxford Brookes University, Loughborough University, Ambrose University in Alberta, Canada, and Rhode Island School of Design in the US.
The hacker who stole a subset of data managed by Blackbaud also gained access to information belonging to Human Rights Watch as well as Young Minds, a mental health charity firm. Such a massive haul was possible as Blackbaud is among the world's largest providers of education administration, fundraising, and financial management software.
Over a hundred organisations suffered as a result of the Blackbaud hack
According to BBC, the Information Commissioner's Office told the news agency that so far, as many as 125 organisations in the UK have reported the ransomware attack, indicating that the cyber incident has had a far greater impact on UK organisations than initially believed.
Among the most prominent organisations that admitted to getting impacted by the ransomware attack this week included the National Trust, Newcastle University, De Montfort University, King’s College London (KCL), mental health charity Young Minds, terminal illness charity Sue Ryder, and homeless charity Crisis.
The ransomware attack also impacted Hungary's Central European University, St Albans in Hertfordshire, Radley College in Abingdon, and St Aloysius in Glasgow, ACS International, as well as a number of religious groups, public radio stations, and cancer charities.
“People have the right to expect that organisations will handle their personal information securely and responsibly. The cloud software company Blackbaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries.
“Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted. Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied,” said an ICO spokesperson.
Organisations must stay vigilant about data security practices of supply chain partners
Commenting on the severe impact of the ransomware attack targeting Blackbaud, Jeremy Hendy, CEO of Skurio, said that recent developments in the Blackbaud cyber attack where 125 companies have reported the breach to the ICO highlight the third party risks that all organisations face. It raises questions as to whether the threat actors were aware of who Blackbaud was working with and targeted the company because of this.
"Breaches often happen through a security failure at a supply chain partner, three or four levels removed from your own organisation. Universities and non-profits have complex digital ecosystems, with student, staff and donor data potentially flowing through thousands of different technologies – many of which may not be visible. No matter how good your own network security, someone else may lose your data and bad actors are ready to exploit this, that’s why you need to be securing your data, not just your network.
"All organisations in a digital supply chain are generally businesses with their own supply chain – it is critical that they enforce security standards with their own suppliers, require ISO certification, set mandatory requirements for data processing. In particular, after the recent European Court of Justice ruling, organisations should be more vigilant with any suppliers relying on the European Privacy Shield as a protective standard," he added.