US cloud and education software giant Blackbaud has finally admitted the data breach which hit scores of UK universities and charities was far worse than it had claimed, with a filing in the States showing bank account information and users’ passwords were compromised in the incident.
The incident first emerged in July when Blackbaud clients started to demand answers after the firm admitted to paying off hackers to delete a copy of sensitive data stolen during a cyber-attack in May.
At the time, it tried to play down the incident, even though equally sensitive information, including name, age and address; assets and estimated wealth; value of past donations; history of political and philanthropic gifts; and spouse’s identity and gift-giving history had been leaked in some cases.
Now, in a regulatory filing with the US Securities & Exchange Commission, Blackbaud has said that after completing a forensic investigation into the attack, it has determined that hackers gained access to more data records than initially believed.
It stated: “After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.
“In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.
“We expect our security incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.”
Some 125 organisations, among them top UK universities and charities, including the National Trust (pictured), contacted the Information Commissioner’s Office in the summer to report the breach. However, the ICO has since revised this figure up, to 166 UK organisations.
Worldwide, it has been reported that millions of people have been warned they could have been affected.
Earlier this week, law firm Simpson Millar said it had been contacted by hundreds of people from institutions connected to breach, concerned that their details may have been lost.
Simpson Millar head of professional negligence Robert Godfrey said: “We have had members of the universities contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR and data protection rules.
“There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives. The universities have a very clear duty of care to ensure that the members of their sites, who hand over their confidential information to them have their data secure and protected, are not exposed such as has happened in this breach.”
Blackbaud breach sparks legal threat to UK universities
National Trust among 125 hit by Blackbaud hack in UK
Crisis donors hit as fears grow over Blackbaud breach
Clients demand answers as cloud giant admits breach
Dentists bare teeth against BDA in breach legal action
Google faces £2bn GDPR class action over kids’ privacy
TalkTalk customers seek payout for double data breach
Law firm pounces on EasyJet breach with £18bn claim
Over 10,000 customers join EasyJet data breach action
Marriott faces data loss claim – will it open floodgates?
Half of UK firms would pay ransom to avoid GDPR fine