Blackbaud hack escalates as more UK universities confirm breach - CEL Solicitors
More than 20 universities and charities in the UK, US and Canada have suffered a serious global data breach after hackers attacked cloud computing provider, Blackbaud.

The UK universities which are confirmed to have been affected are:

  • Aberystwyth University
  • ACS International Schools
  • Brasenose College, University of Oxford
  • Brunel University, London
  • De Montfort University
  • Hughes Hall College, University of Cambridge
  • King’s College, London
  • Loughborough University
  • Oxford Brookes University
  • Radley College, Abingdon
  • Selwyn College, University of Cambridge
  • St Albans School, Hertfordshire
  • Sheffield Hallam University
  • Staffordshire University
  • University College, Oxford
  • University of Birmingham
  • University of Bristol
  • University of Durham
  • University of East Anglia
  • University of Exeter
  • University of Hull
  • University of Kent
  • University of Leeds
  • University of Liverpool
  • University of London
  • University of Manchester
  • University of Newcastle
  • University of Northampton
  • University of Reading
  • University of South Wales
  • University of Sunderland
  • University of Sussex
  • University of West London
  • University of York

The universities have written to former students asking them to remain vigilant and report any suspicious activity following the hack.

Blackbaud, which provides software solutions to higher educational institutions, was targeted by cybercriminals in May. It was held to ransom by the hackers and paid an undisclosed amount to the cyber-criminals in the hope that they would destroy the data.

Blackbaud is facing widespread criticism about the length of time it took to warn victims that data had been stolen. It notified the universities affected on 16th July who then, in turn, notified their staff, students, alumni and partners.

Blackbaud is not revealing the scale of the breach, so dozens more charities and educational organisations may have been affected.

Chloe Roche, a University of Leeds alumni, was notified by email on 22 July. Commenting on the data breach, she said:

“It’s really distressing to know that your personal data has been hacked and is in the hands of criminals. We have been notified that Blackbaud have paid a ransom for the hackers to destroy our private information, but I find that really disconcerting too.

“Ultimately, we’ve no way of knowing what has actually been done with our data and the idea that a company is being blackmailed for it makes me feel really uneasy. The potential for it to be sold or passed on also worries me so it’s very stressful.”


The universities impacted are now working with Blackbaud to determine exactly what personal data was compromised. So far, clients of Blackbaud have been affected in different ways, with varying types of data involved. Some of the information relating to the Universities that was stolen included:

  • personal details, e.g. name, title, gender, date of birth and student number
  • contact details, e.g. phone, email address, home address and LinkedIn profile URL
  • educational details, e.g. qualifications and extracurricular activities undertaken
  • alumni and fundraising records, including participation and donations
  • professional details, e.g. profession and employer
  • information about people’s interests submitted in university surveys

Mark Montaldo, a Director at CEL Solicitors, which specialises in data breach claims, said: “We’ve already spoken to former university students who are rightly concerned about what this data breach could mean for them. To know your personal data has been hacked by criminals is incredibly worrying and increasingly common as more and more data is stored online.

“It’s therefore crucial that organisations ensure that every possible measure is taken to protect their members’ personal details and that any third parties’ goals are aligned with their own when it comes to data protection.

“It’s also really important that organisations notify potential victims as soon as they become aware of a data breach so that they are alert to any suspicious activity as a result of their data being breached”.

As a precautionary measure, the Information Commissioner’s Office has been sent a preliminary notification.

What to do when you’ve been hacked

We are calling for anyone who is worried that they may have been impacted as a result of the data breach to contact us so we can thoroughly investigate whether their private details were part of the cyberattack, and whether they could be entitled to compensation as a result.

Find out more about making a data breach claim, or call our team on 0808 273 0900 to get free, no-obligation legal advice.