A major ransomware attack, that compromised a database managed by CRM solutions provider Blackbaud in May and impacted the University of York, has also impacted at least ten other universities based in the UK, the US, and Canada.
Earlier this week, the University of York announced that a ransomware attack suffered by its CRM provider Blackbaud resulted in a cyber criminal stealing the personal information of its alumni, staff, and students and using the data to demand ransom from the company.
The ransomware attack took place in May and resulted in the hacker accessing names, titles, gender, dates of birth, student numbers, addresses, phone numbers, email addresses, and LinkedIn profile URLs of members of the University community.
The breach also compromised details of qualifications, courses attended, extracurricular activities, fundraisig activities, records of members' engagement with allumni, event participations, volunteering, professional details, as well as information about members' interests that were obtained through surveys.
On its part, Blackbaud said its cyber security team was able to prevent the hacker from blocking its IT system and fully encrypting files after the ransomware attack was detected. However, they were not able to prevent the hacker from stealing a subset of data that stored information belonging to its clients.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed," the company said.
"The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologise that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident," it added.
Various universities, Human RIghts Watch and a charity were also affected
According to BBC, the ransomware attack not only resulted in the compromise of sensitive data belonging to the University of York, but also data belonging to several other universities located in the UK, the United States, and Canada.
The list of affected universities includes the University of York, University of Exeter, University of Leeds, University of London, University of Reading, University College, Oxford, Oxford Brookes University, Loughborough University, Ambrose University in Alberta, Canada, and Rhode Island School of Design in the US.
The hacker who stole a subset of data managed by Blackbaud also gained access to information belonging to Human Rights Watch as well as Young Minds, a mental health charity firm. Such a massive haul was possible as Blackbaud is among the world's largest providers of education administration, fundraising, and financial management software.
The Information Commissioner's Office has been notified about the ransomware attack and data breaches suffered by several universities as a consequence. "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually," it said.
Commenting on the ransomware attack impacting a large number of universities, Haroun Hickman, Commercial Director at UK privacy and data ethics startup Metomic, said that Blackbaud’s violation of GDPR is incredibly concerning, especially given it was seemingly done to allow for extremely suspect ransom negotiations.
"The ICO must be rigorous in its investigation into why the company delayed reporting the hack, but they are not the only ones who should be taking stock. The incident highlights the need for companies and institutions to have more visibility and control over what data they're sharing with third parties, why they're sharing it and in what form.
"This isn’t something that can be solved by lawyers, instead businesses need to be engaging with developers that will build preventative measures into their technology; to protect their customers’ data and safeguard their own reputation," he added.