Homeless charity Crisis and five more UK universities have revealed their data has been lost in the major breach at US-based cloud services and software provider Blackbaud, which last week admitted to paying off hackers following a ransomware attack.
The University of York become the first UK organisation to publicly demand more information over the incident, demanding to know why it had taken Blackbaud nearly two months to inform its customers of the breach.
Blackbaud claims that it was able to stop the breach without any disruptions to its business but admitted that a “subset” of customer data had been stolen.
Now Crisis has confirmed the contact details of hundreds of its supporters have been stolen in the attack, while Oxford Brookes University, Loughborough University, University of London, University of Leeds and University of Reading have joined the University of York in apologising to students, faculty and donors for the breach.
Ambrose University in Canada and Rhode Island School of Design in America have also been hit, as well as Human Rights Watch and UK charity Young Minds.
In a letter to supporters, Crisis chief executive Jon Sparkes said he was “incredibly frustrated” by the breach and said the organisation was carrying out a full investigation.
The missive states: “We have recently been informed about a cyber-attack that has affected one of our suppliers called Blackbaud, who host our supporter database as well as databases for a number of other organisations.
“The cyber-attack resulted in details of some of our supporters being accessed. This included names, addresses, email addresses and telephone numbers. All financial information held by Blackbaud is encrypted and we are confident that this has not been breached.
“Blackbaud have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed and there is currently no evidence of the data being used.
“The breach affected a system that we stopped using in early 2018. Any information that you have given to us since then has not been affected.”
Blackbaud claimed it had agreed to pay the ransomware because its customers’ data was a “top priority”. In a statement, it added: “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber criminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
According to a new report from cybersecurity specialist Skybox Security, ransomware has rocketed during the Covid-19 pandemic, with new cases increasing by 72% and more than 20,000 new vulnerability reports predicted for 2020, shattering previous records.
Clients demand answers as cloud giant admits breach
Pitney Bowes hit as Maze ransomware strikes again
Ransomware car crash hits digital transformation giant
Half of UK firms would pay ransom to avoid GDPR fine
Over 40% of firms suffered cyber breach in past year
Firms warned over new wave of nefarious cyber attacks
TNT Express rocked as cyber attack wipes out $300m
WPP hit as new ransomware attack wreaks global havoc
UK firms ‘leaving themselves wide open to ransomware’