A software supplier used by some of the UK’s biggest universities has confirmed that it suffered a cyber attack in May.
Blackbaud, which provides education administration, fundraising and financial management software, was infected with ransomware, giving cyber criminals access to a wealth of sensitive information.
At least eight educational institutions in the US and Canada were also affected, as well as several charities on both sides of the Atlantic.
How severe is the breach?
Blackbaud hasn’t revealed the scale of the breach, but the BBC reports that, in some cases, the affected data was limited to former students who had been asked to financially support their alma mater.
The stolen data included phone numbers, donation history, and events that individuals attended. Credit card and other payment details don’t appear to have been exposed.
The affected UK universities are:
- University of Birmingham
- De Montford University
- University of Strathclyde
- University of Exeter
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- University of York
- University of Aberystwyth
In the US, Middlebury College, Vermont; West Virginia University; New College of Florida; Cheverus High School in Maine; the University of North Florida; and the Rhode Island School of Design were breached.
In Canada, the incident affected Ambrose University, Alberta, and The Bishop Strachan School in Toronto.
At least six charities were also impacted:
- Choir with No Name
- Vermont Foodbank
- Vermont Public Radio
- Northwest Immigrant Rights Project
- Human Rights Watch
- Young Minds
Paying a ransomware demand
In a statement, Blackbaud explained: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
This raises several concerns. First, Blackbaud paid a ransom demand, which is contrary to the advice of most cyber security experts and law enforcement agencies, including the FBI and Europol.
This is because payment encourages and potentially funds further attacks.
In a notable example last year, a series of US cities came under attack. Criminals caught on to the fact that officials were willing to pay a sizable fee to prevent further disruption.
Although each city could just about justify the spending, the US Conference of Mayors realised that attacks would continue if they did pay, and the collective cost would be far too great.
As such, they unanimously agreed to refuse payment in the event of future attacks – and soon enough, the spate of ransomware infections abated.
Private-sector organisations don’t have the same level of unity as public ones, but the principle is the same.
The disruption caused by ransomware can be irreparable, and although you might not be the target this time, you could be next. It’s therefore in every organisation’s best interest to dissuade attackers.
Another major concern is that Blackbaud took the criminals at their word that they would destroy their copy of the data once the payment had been made.
Organisations have no way of knowing whether fraudsters will stick to their end of the bargain – and even if they do, it doesn’t make much difference.
Once data has been accessed by an unauthorised party, that is a data breach. It doesn’t matter if the criminals delete their copy once they get their money – the confidentiality, integrity and availability of the information has already been compromised.
Why did the response take so long?
Another cause for concern is why it took Blackbaud so long to inform its customers and regulators of the attack.
According to its statement, the attack occurred in May, but it only disclosed the incident last weekend – at least eight weeks later.
This looks like a clear violation of the GDPR (General Data Protection Regulation), which states that organisations must report significant breaches within 72 hours of discovery.
The GDPR applies in this instance because UK students are among those affected, and they are still covered by the Regulation until the Brexit transition period ends on 31 December 2020.
The failure to disclose security incidents within the 72-hour deadline falls within the GDPR’s lower tier of penalties, with a maximum fine of €10 million (about £9.1 million) or 2% of the organisation’s annual global turnover.
However, should the UK supervisory authority the ICO (Information Commissioner’s Office) discover major data protection weaknesses, Blackbaud could face sanctions in line with the upper tier of penalties, potentially reaching €20 million (about £18.2 million) or 4% of its annual global turnover.
Helping schools with the GDPR
Educational institutes have had a harder time than most achieving GDPR compliance, given tight budgets and a large volume of staff and students, and many simply don’t have the resources to commit to data protection.
However, with the help of our sister company GDPR.co.uk, effective security and privacy can be a lot more affordable than you might think.
Its dedicated GDPR for schools service helps you streamline your essential compliance practices, including data breach notifications, staff training and documentation.