Bletchley Park Trust among high-profile victims of Blackbaud ransomware attack

Bletchley Park have confirmed that the ransomware attack, that targeted database software provider Blackbaud in May and impacted at least 125 UK organisations, also compromised the personal information of members and donors of Bletchley Park Trust.

The iconic museum, that served as the home for Britain's elite code-breakers and the Government Code and Cypher School (GC&CS) during the Second World War, is a popular attraction for codebreakers and history buffs, offering visitors the opportunity to participate in codebreaking puzzles and view unique wartime footage and photographs.

Earlier this week, Bletchley Park Trust announced in an email that the personal information of trustees and donors had been compromised in May when database software provider Blackbaud suffered a major ransomware attack. A large number of organisations in the UK, including dozens of universities and charities that use Blackbaud's CRM software, were impacted as a result of the cyber attack.

On 29th July, the Information Commissioner's Office said that as many as 125 organisations in the UK had reported the ransomware attack. These included the National Trust, Newcastle University, De Montfort University, King’s College London (KCL), mental health charity Young Minds, terminal illness charity Sue Ryder, and homeless charity Crisis.

The list of affected universities includes the University of York, University of Exeter, University of Leeds, University of London, University of Reading, University College, Oxford, Oxford Brookes University, Loughborough University, Ambrose University in Alberta, Canada, and Rhode Island School of Design in the US.

"We were recently notified by Blackbaud, one of our software suppliers, that they have suffered a data breach due to a ransomware attack on their own system... Unfortunately, a significant number of universities and charities have been affected by this issue and this list includes Bletchley Park Trust," the Trust said in an email accessed by Milton Keynes.

"This breach involved records containing personal information, which may include one or more data fields such as names, titles, dates of birth, email addresses, donation history, mailing or e-newsletter list preference, event attendance or membership, depending on data subjects’ engagement with the Bletchley Park Trust.

"The Blackbaud Cyber Security team, along with independent forensics experts and law enforcement agencies, successfully stopped the attack and secured the destruction of any data held by the cybercriminal. Blackbaud has informed us that it has no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom," the Trust added.

"Blackbaud has informed us that it has no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom. Accordingly, they advise that they do not believe that it will be misused or will be disseminated or otherwise made available publicly.

"Blackbaud have reported this breach to the Information Commissioner’s Office (ICO), and we also submitted our own report to the ICO and are working with them to ascertain any follow up actions required. We have initiated a review of how and where we store our data and our future relationship with Blackbaud," read a statement from the Trust.