De Montfort, KCL, Newcastle universities join list of Blackbaud victims

Blackbaud, the South Carolina, US-based cloud services supplier at the centre of an unfolding data breach incident, is facing renewed pressure after more UK universities and a number of charities warned their students and alumni that their personal information may have been exposed.

The ransomware attack on Blackbaud took place in May 2020, yet the firm, which claims to “power social good”, not only paid off its hackers but kept information on the attack from its UK customers in the education and charity sector for two months, only informing them on 16 July. It has made no further statement since then.

It has now emerged that besides the University of York, data from De Montfort University, King’s College London (KCL) and Newcastle University was stolen, as well as the University of Aberystwyth and South Wales University, as per the BBC; Sheffield Hallam, as per the Sheffield Star; and University College Oxford, as per Infosecurity Magazine.

Meanwhile, charity sector magazine ThirdSector has reported that homeless charity Crisis and mental health charity Young Minds are also victims of the Blackbaud hackers.

De Montfort, KCL and Newcastle informed those affected by the breach in emails seen by Computer Weekly. All three institutions said they took data protection seriously and were confident that no financial or password details were taken, yet all three also confirmed they had taken seriously Blackbaud’s assurance that the data held by the cyber criminals was destroyed after the ransom was paid, which is by no means a guarantee.

KCL said it had terminated its contract with Blackbaud, and all three of these institutions have made their own reports to the Information Commissioner’s Office (ICO).

An ICO spokesperson said: “People have the right to expect that organisations will handle their personal information securely and responsibly. The cloud software company Blackbaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries.

“Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted. Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied.”

Jamie Akhtar, co-founder and CEO of CyberSmart, added: “Education is one of the most vulnerable and least protected industries. In May 2020, Microsoft Security Intelligence found that 61% of nearly 7.7 million enterprise malware encounters came from those in the education sector, making it the most affected industry for cyber attacks.

“The shift to online and distance learning online has been a trend even before Covid-19 and organisations are suffering from a lack of IT resources for protection. Last year, a hacker-simulation test proved 100% successful in breaching 50 universities across the country to access student and staff personal data, financial systems and valuable research networks.”

Jonathan Knudsen, senior security strategist at Synopsys, added: “The Blackbaud incident shows that managing software risk has a larger scope than just one organisation. The software security deficiencies of partner or supplier organisations become your own problem when you depend on them for delivering products or services.

“Correctly managing software and business risk encompasses managing risk from external vendors. It is easy to take software for granted as just part of doing business, but it is crucial to understand that the software we all use is itself a significant source of risk and must be managed just like any other business risk.”

Meanwhile, statistics compiled by Redscan from a series of Freedom of Information (FoI) requests found that 54% of UK universities have reported some kind of data breach to the ICO in the past 12 months.

In a report laying bare the extent of under-investment in security in the education sector, Redscan also found that a quarter of universities have done no external penetration testing, and close to 50% have not given their staff appropriate security training in the past year. It also found that 12% did not offer any kind of security guidance, support or training to students.

Redscan CTO Mark Nicholls said: “UK universities are among the most well-respected learning and research centres globally, yet our analysis highlights inconsistencies in the approach that institutions are taking to protect their staff, students and intellectual property against the latest cyber threats. 

“The fact that such a large number of universities don’t deliver cyber security training to staff and students, or commission independent penetration testing, is concerning. These are foundational elements of every security programme and key to helping prevent data breaches. 

“Even at this time of intense budgetary pressure, institutions need to ensure that their cyber security teams receive the support they need to defend against sophisticated adversaries. Breaches have the potential to seriously impact organisations’ reputation and funding.”

Nicholls added: “The threat posed to universities by nation state attackers makes the need for improvements even more critical. The cost of failing to protect scientific research is immeasurable.”