A number of universities globally have had data stolen in an apparent ransomware attack on their systems.
Hackers are believed to have accessed information through a third-party cloud computing provider called Blackbaud, gaining access to details such as phone numbers and donation history.
Universities in the UK, the US and Canada were hit by the attack, including the University of Leeds, Ambrose University in Alberta, Canada and Rhode Island School of Design in the US.
Blackbaud says it has subsequently paid the hacker an undisclosed ransom after claims that the data had been destroyed and no credit card details or bank information was accessed.
In a statement, Blackbaud said: “In May of 2020, we discovered and stopped a ransomware attack.
“After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.
“The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. “
Blackbaud added that, through their investigation, they had “no reason to believe that any data went beyond the cybercriminal, was or will be misused,” and will not be made public.
- US Accuses China of Using Surveillance and Censorship Worldwide
- Report | Employee Mistakes Cause Almost Half of Cybersecurity Issues
- Russia Report Reveals Interference in Scottish Independence Referendum
Under the current Data Protection Regulation (GDPR) law, companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
However, the UK Information Commissioner’s Office (ICO) and data authorities in Canada were only made aware of the hack this week – almost two months since the initial attack took place.
A spokesman from the UK Information Commissioner’s Office (ICO) said: “Blackbaud has reported to the ICO an incident that affected multiple data controllers.
“We will ask both Blackbaud and their respective manager’s questions and encourage all interested controllers to consider whether they should report the incident to the ICO individually “.
All affected universities say they will contact staff, students and donors to apologise for the hack.
Chief Data Officer at OutThink, Dr Shorful Islam, believes that lack of security education at Blackbaud could be a factor in the data breach.
“Ironically, an attack that has affected so many universities really shows the limitations of just educating users about cybersecurity and not targeting them with relevant material,” he commented.
“What was initially a ransomware attack on Blackbaud, caused by human error, has snowballed and effected numerous customers, including high-profile universities and charities. This should be a warning to companies – hackers will always look to do as much damage as they can and the first attack is rarely the end of the story.
A report from the security firm Tessian released this week showed that 43% of workers have made cybersecurity mistakes that negatively impacted their organisation. The data revealed how stress, distraction and workplace disruption can cause people to make more mistakes at work.
Islam continued: “Of course, busy users are always going to make mistakes and leave CISOs vulnerable, but instead of blaming them or putting them through more training, we need to be identifying these high-risk individuals and making targeted interventions in order to reduce risk.
“This could be having a one to one discussion about security and how it works for them, or deploying more robust security controls to protect their emails, but without a deeper understanding of human risk, CISOs cannot address these problems.”