Clients demand answers as cloud giant admits breach

Clients of US cloud computing giant Blackbaud, which specialises in the charity and education sectors, have started to demand answers after the firm has admitted to paying off hackers to delete a copy of sensitive data stolen during a cyber-attack in May.

The firm, which offers solutions for fundraising and CRM, marketing, ticketing, financial management, payment processing and analytics, only fessed up to the incident last week, nearly two months later.

Blackbaud claims that it was able to stop the breach without any disruptions to its business but admitted that a “subset” of customer data had been stolen.

The University of York, whose motto is “On the threshold of wisdom”, has become the first organisation to publicly demand more information, questioning Blackbaud’s own wisdom in delaying notification took so long.

For its part, Blackbaud said it had agreed to cough up because its customers’ data was a “top priority”. In a statement, it added: “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber criminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

The University of York said it was working with Blackbaud to understand why there was such a long delay in notifying it of the breach. The university used the service to record engagement with members of its community, including alumni, staff and students, and extended networks and supporters.

A spokesman said: “We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our data protection officer and IT security team.

“We very much regret the inconvenience that this data breach may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.”

The university also said it had reported the incident to the Information Commissioner’s Office and was investigating how many others in the higher education and not-for-profit sector may have been affected.

According to a new report from cybersecurity specialist Skybox Security, ransomware has rocketed during the Covid-19 pandemic, with new cases increasing by 72% and more than 20,000 new vulnerability reports predicted for 2020, shattering previous records.