Blackbaud breach sparks legal threat to UK universities

universities2UK universities, many of which are already facing criticism for locking up students in Covid-19 isolation, could soon be facing another headache with the threat of legal action over their involvement in the Blackbaud ransomware attack in the US.

More than 30 universities, including Manchester, South Wales, Glasgow, Oxford Brookes, Liverpool and Leeds which also have coronavirus cases, were among 125 organisations that contacted the Information Commissioner’s Office in the summer to report they had been affected by the Blackbaud breach.

The incident first emerged in July when clients of the US cloud computing and education software giant started to demand answers after the firm admitted to paying off hackers to delete a copy of sensitive data stolen during a cyber-attack in May.

Initially, the company tried to play down the incident, insisting that no payment card or bank account details had been compromised. However, it was then revealed that equally sensitive information, including name, age and address; assets and estimated wealth; value of past donations; history of political and philanthropic gifts; and spouse’s identity and gift-giving history had been leaked in some cases.

Charities including the National Trust, Sue Ryder, Young Minds and Crisis were also affected.

Now, law firm Simpson Millar says it has been contacted by hundreds of people from institutions connected to breach, concerned that their details may have been lost.

Simpson Millar head of professional negligence Robert Godfrey claims anyone affected by could have a valid claim for damages against their own university or charity.

Godfrey said: “We have had members of the universities contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR and data protection rules.

“I am confident any person whose details have been accessed could have a valid claim. It is clear there has been of breach of individuals’ right to privacy and the universities are ultimately responsible.

“There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives. The universities have a very clear duty of care to ensure that the members of their sites, who hand over their confidential information to them have their data secure and protected, are not exposed such as has happened in this breach.”

A spokesperson for the University of Surrey said: “When we were informed of this incident by Blackbaud earlier in the summer, we immediately launched a detailed investigation into the circumstances and took action to ensure those who may have been affected were notified.

“Our inquiries reassured us that individuals linked to the university did not need to take any specific actions beyond normal, day-to-day online security precautions.”

The University of Birmingham said it was not “currently aware” of any claims resulting from the Blackbaud incident, while Newcastle, Cumbria, Manchester, South Wales, Glasgow, Oxford Brookes, Liverpool and Leeds have yet to comment on the potential action.

Related stories
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Clients demand answers as cloud giant admits breach
Dentists bare teeth against BDA in breach legal action
Google faces £2bn GDPR class action over kids’ privacy
TalkTalk customers seek payout for double data breach
Law firm pounces on EasyJet breach with £18bn claim
Over 10,000 customers join EasyJet data breach action
Marriott faces data loss claim – will it open floodgates?
Half of UK firms would pay ransom to avoid GDPR fine