Blackbaud data breach after ransomware attack hits universities, nonprofits

On July 21, the University of York in England informed its student body of a cybersecurity issue. According to an official statement, the university was informed of a major ransomware and data breach situation suffered by the U.S.-based Blackbaud:

On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data.

The University of York stated that the primary types of data stolen in the ransomware attack include personal data like names, student ID, contact information, major dealings with the university (i.e., alumni programs), and more. Blackbaud soon released an official statement in response to growing criticism that they were far too slow in handling the incident. Through this security incident notice, it became clear that the ransomware attack and subsequent data breach affects far more than just the University of York.

The statement, on its own, was rather vague and more or less outlines what was already known. One component of the statement was rather interesting, however, namely where Blackbaud says, “The subset of customers who were part of this incident have been notified and supplied with additional information and resources.” Noticing the plural “customers” and inferring that there were other victims, InfoSec reporters conducted their own investigation.

According to the BBC, a number of universities were affected beyond the University of York. In their article, tech reporters Joe Tidy and Leo Kelion name nine other higher education institutions, including University College Oxford, the University of London, Canada’s Ambrose University, and the Rhode Island School of Design. Even more damning to Blackbaud’s reputation is the fact that BBC News also discovered that the breach affects Human Rights Watch and Young Minds (a children’s mental health charity).

Blackbaud may be facing serious consequences for its failure to quickly inform their clients of the data breach. They are apparently in direct breach of GDPR, which requires alerting affected parties about incidents within 72 hours, and will have to suffer the blowback for that. This is more than a PR nightmare for Blackbaud; it very well could be the end of their business.

Featured image: Wikimedia/ Arian Kriesch

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

See the light: How to avoid webcam hacking

With so many employees video conferencing from home, the webcam may be a portal to…

3 days ago

Using Intel VTune Profiler performance analyzer on Hyper-V VMs

The Intel VTune Profiler performance analyzer can do more than monitor a system’s CPU utilization.…

3 days ago

The evolution of backup: Interview with Altaro’s Simon Attard

Backup is not the glitziest part of an IT pro’s job, but it may be…

4 days ago

U.S. Department of Veterans Affairs experiences data breach

A successful cyberattack initiated by a social engineering campaign has caused a data breach at…

4 days ago

How to turn off or restart Windows 10 updates: Step-by-step guide

In this article, we'll show you how to turn off or restart updates in Windows…

4 days ago

Five native Windows Admin Center extensions you need to know about

Windows Admin Center is becoming the tool of choice for managing Windows Server deployments. Here…

5 days ago