The ransomware attack targeting database software provider Blackbaud resulted in hackers accessing information about thousands of donors of the Labour Party, aside from data belonging to over a hundred universities, charities, and businesses.
According to ITV News, hackers have been able to access information about thousands of people who donated to the Labour Party in the past several years, including those who donated less than £7,500 and did not have to declare their donation to the Electoral Commission.
The information was stored in a fundraising and donor management software named Raiser’s Edge created by Blackbaud that was being used by the Labour Party when the ransomware attack took place.
“We have been alerted by one of our suppliers, Blackbaud, that they have suffered a data breach. We have reported the matter to the ICO and are working to establish further facts around this situation. We will take any action necessary in line with our statutory obligations,” the party said via a spokesperson.
According to BBC, the Information Commissioner's Office has revealed that so far, as many as 125 organisations in the UK have reported the ransomware attack, including National Trust, Newcastle University, De Montfort University, King’s College London (KCL), mental health charity Young Minds, terminal illness charity Sue Ryder, and homeless charity Crisis.
The ransomware attack also affected a number of UK universities, including the University of York, University of Exeter, University of Leeds, University of London, University of Reading, University College, Oxford, Oxford Brookes University, Loughborough University, Ambrose University in Alberta, Canada, and Rhode Island School of Design in the US.
The ransomware attack also impacted Hungary's Central European University, St Albans in Hertfordshire, Radley College in Abingdon, and St Aloysius in Glasgow, ACS International, as well as a number of religious groups, public radio stations, and cancer charities.
Commenting on the Labour Party suffering a data breach due to the ransomware attack on Blackbaud, Stephen Roostan, VP EMEA at Kenna Security, said that the fact that the breach occurred via a third party - in this case IT services provider, Blackbaud - will hold no muster when it comes to pointing the finger of liability.
"It is the responsibility of an organisation’s most senior leaders to scrutinise and understand the agreements that they’re entering into with every third party vendor - no matter how low-risk it might initially seem.
"It’s obvious that protecting financial data is a top priority - but what about your marketing data stored on a CRM system? Should that be afforded the same level of protection? Maybe. Maybe not, as what determines risk for one company, will be different for another. The point is that it’s a decision the senior management must make and then they must dig into the contractual detail to ensure that what they’re signing up to will deliver the redress they need should a cyber disaster strike (which undoubtedly it will at some point)," he added.