The UK universities which are confirmed to have been affected are:
The universities have written to former students asking them to remain vigilant and report any suspicious activity following the hack.
Blackbaud, which provides software solutions to higher educational institutions, was targeted by cybercriminals in May. It was held to ransom by the hackers and paid an undisclosed amount to the cyber-criminals in the hope that they would destroy the data.
Blackbaud is facing widespread criticism about the length of time it took to warn victims that data had been stolen. It notified the universities affected on 16th July who then, in turn, notified their staff, students, alumni and partners.
Blackbaud is not revealing the scale of the breach, so dozens more charities and educational organisations may have been affected.
Chloe Roche, a University of Leeds alumni, was notified by email on 22 July. Commenting on the data breach, she said:
“It’s really distressing to know that your personal data has been hacked and is in the hands of criminals. We have been notified that Blackbaud have paid a ransom for the hackers to destroy our private information, but I find that really disconcerting too.
“Ultimately, we’ve no way of knowing what has actually been done with our data and the idea that a company is being blackmailed for it makes me feel really uneasy. The potential for it to be sold or passed on also worries me so it’s very stressful.”
The universities impacted are now working with Blackbaud to determine exactly what personal data was compromised. So far, clients of Blackbaud have been affected in different ways, with varying types of data involved. Some of the information relating to the Universities that was stolen included:
Mark Montaldo, a Director at CEL Solicitors, which specialises in data breach claims, said: “We’ve already spoken to former university students who are rightly concerned about what this data breach could mean for them. To know your personal data has been hacked by criminals is incredibly worrying and increasingly common as more and more data is stored online.
“It’s therefore crucial that organisations ensure that every possible measure is taken to protect their members’ personal details and that any third parties’ goals are aligned with their own when it comes to data protection.
“It’s also really important that organisations notify potential victims as soon as they become aware of a data breach so that they are alert to any suspicious activity as a result of their data being breached”.
As a precautionary measure, the Information Commissioner’s Office has been sent a preliminary notification.
We are calling for anyone who is worried that they may have been impacted as a result of the data breach to contact us so we can thoroughly investigate whether their private details were part of the cyberattack, and whether they could be entitled to compensation as a result.