On July 21, the University of York in England informed its student body of a cybersecurity issue. According to an official statement, the university was informed of a major ransomware and data breach situation suffered by the U.S.-based Blackbaud:
On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data.
The University of York stated that the primary types of data stolen in the ransomware attack include personal data like names, student ID, contact information, major dealings with the university (i.e., alumni programs), and more. Blackbaud soon released an official statement in response to growing criticism that they were far too slow in handling the incident. Through this security incident notice, it became clear that the ransomware attack and subsequent data breach affects far more than just the University of York.
The statement, on its own, was rather vague and more or less outlines what was already known. One component of the statement was rather interesting, however, namely where Blackbaud says, “The subset of customers who were part of this incident have been notified and supplied with additional information and resources.” Noticing the plural “customers” and inferring that there were other victims, InfoSec reporters conducted their own investigation.
According to the BBC, a number of universities were affected beyond the University of York. In their article, tech reporters Joe Tidy and Leo Kelion name nine other higher education institutions, including University College Oxford, the University of London, Canada’s Ambrose University, and the Rhode Island School of Design. Even more damning to Blackbaud’s reputation is the fact that BBC News also discovered that the breach affects Human Rights Watch and Young Minds (a children’s mental health charity).
Blackbaud may be facing serious consequences for its failure to quickly inform their clients of the data breach. They are apparently in direct breach of GDPR, which requires alerting affected parties about incidents within 72 hours, and will have to suffer the blowback for that. This is more than a PR nightmare for Blackbaud; it very well could be the end of their business.
Featured image: Wikimedia/ Arian Kriesch