Victims of Blackbaud ransomware attack to take legal action

Students and staff at the University of Cumbria who were affected by the ransomware attack on Blackbaud are preparing to take legal action against the software provider.

Blackbaud, which provides education administration, fundraising and financial management support, was attacked earlier this year, with cyber criminals accessing victims’:

  • Names;
  • Dates of birth;
  • Addresses;
  • Phone numbers;
  • Email addresses;
  • Donation history; and
  • Events that individuals attended.

The University of Cumbria was one of more than 125 UK-based organisations affected by the attack.

Hundreds of people affiliated with the university expressed their concern with the breach and Blackbaud’s response, and a group has now instructed the law firm Simpson Millar to start legal proceedings.

Robert Godfrey, the head of professional negligence at Simpson Millar, was confident that anyone affected by the data breach had a valid claim for damages against the University of Cumbria and the distress caused.

He said: “We have had members of the universities contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR [General Data Protection Regulation] and data protection rules.

“I am confident any person whose details have been accessed could have a valid claim. It is clear there has been of breach of individuals’ right to privacy and the universities are ultimately responsible.

“There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives.”

Do they have a case?

Under the GDPR, individuals are entitled to claim compensation from an organisation if a data breach results in either “material damage” (e.g. they have lost money) or “non-material damage” (e.g. they have suffered distress).

The one caveat to this is that it only applies to data breaches where the organisation breached data protection law. Simpson Millar must therefore demonstrate that Blackbaud failed to meet its GDPR compliance requirements.

This might be the case if it failed to implement appropriate technical or organisational measures to prevent the data breach, or didn’t meet its data breach notification requirements, which could have exacerbated the damages – including distress caused.

The evidence so far suggests that the latter at the very least is true. Blackbaud admitted that the attack occurred in May, but it only disclosed it in mid-July, more than eight weeks later.

What about other universities?

The situation at the University of Cumbria isn’t unique; it’s one of more than twenty UK universities affected by the Blackbaud attack, so we may well see victims who are affiliated with other institutions joining the students and staff at the University of Cumbria in legal action.

If so, it could be a major wake-up call that the education sector needs to do a better job addressing cyber security.

Although the universities are – to some extent – innocent third parties in the Blackbaud attack, they have a responsibility to make sure that anyone they partner with has appropriate information security measures in place.

This is more important than ever, given the current cyber security climate. Earlier this month, the NCSC (National Cyber Security Centre) released a security alert to schools and universities, warning of a rise in cyber attacks as students return after the summer.

It comes after high-profile attacks on Newcastle University and nearby Northumbria University, as well as a spate of attacks against the education sector in August.

Most organisations are aware of threats such as these, but very few invest appropriately in defences – whether because their security teams aren’t given the necessary budget or they don’t spend their money on the right things.

The education sector has a harder time than most with this, because of its tight budgets and large volume of staff and students.

However, with the help of our Cyber Security as a Service package, effective security and privacy can be a lot more affordable than you might think.

This annual subscription service provides you with access to expert advice during office hours. They’ll guide you through vulnerability scans, staff training and the creation of policies and procedures, which form the backbone of an effective security strategy.

Find out more