It becomes the second university to announce a data breach by third-party service provider Blackbaud, one of the world’s largest providers of customer relationship management systems.
Yesterday it was reported that the University of York was impacted by the same data breach, with several other universities, also using its services, being affected.
Blackbaud, which provides software solutions to higher educational institutions, was targeted by cybercriminals in May. It notified the universities affected on 16th July who then, in turn, have notified their staff, students, alumni and partners.
Chloe Roche, a University of Leeds alumni, was notified by email yesterday (22nd July). Commenting on the data breach, she said:
“It’s really distressing to know that your personal data has been hacked and is in the hands of criminals. We have been notified that Blackbaud have paid a ransom for the hackers to destroy our private information, but I find that really disconcerting too.
“Ultimately, we’ve no way of knowing what has actually been done with our data and the idea that a company is being blackmailed for it makes me feel really uneasy. The potential for it to be sold or passed on also worries me so it’s very stressful.”
Leeds University is now working with Blackbaud to determine exactly what personal data was compromised. So far, clients of Blackbaud have been affected in different ways, with varying types of data involved. However, in this case it appears that the names and email addresses of the university’s alumni and supporter community were affected.
It also believes that information on the sums given as gifts or event payments through its alumni web portal, Leeds Alumni Online, may have been affected, although it doesn’t believe any bank account or credit card details were included.
Mark Montaldo, a Director at CEL Solicitors, which specialises in data breach claims, said:
“We’ve already spoken to former university students who are rightly concerned about what this data breach could mean for them. To know your personal data has been hacked by criminals is incredibly worrying and increasingly common as more and more data is stored online.
“It’s therefore crucial that organisations ensure that every possible measure is taken to protect their members’ personal details and that any third parties’ goals are aligned with their own when it comes to data protection.
“It’s also really important that organisations notify potential victims as soon as they become aware of a data breach so that they are alert to any suspicious activity as a result of their data being breached”.
As a precautionary measure, the Information Commissioner’s Office was sent a preliminary notification about this issue over the weekend.
For those at The University of Leeds, we are calling for anyone who is worried that they may have been impacted to contact us so we can thoroughly investigate whether their private details were part of the cyber-attack, and whether they could be entitled to compensation as a result.