Several universities in UK, US and Canada hit by malware attack; data lost

Almost 10 universities in the United Kingdom, the United States of America and Canada have been hit by a malware in their cloud computing provider, Blackbaud.

Blackbaud is one of the largest providers of education administration, fundraising, and financial management software in the world.

The hackers focused on information about students and/or alumni. Sensitive information such as phone numbers, donation history and events attended were stolen. However, payment details such as credit card numbers were not exposed, according to BBC.

Mails asking for donation for the universities were sent out to alumni. However, in few of the cases, the threat was extended to staff, existing students and other supporters.

The company, Blackbaud, is being criticised for the way the whole whole situation as handled in their end. The hackers targeted the company in May, but the universities were informed in July.

"In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment," Blackbaud said in a statement on their website.

It was further criticised for paying off the hackers ransom amount that has not been disclosed, without talking to the universities or the authorities. Blackbaud claims that paying off the ransom helped them get a "confirmation that the copy [of data] they removed had been destroyed".

While this is not illegal, the universities have not appreciated this step as they claim to have been kept in the dark about this whole situation.

Blackbaud has also claimed that majority of its customers were not affected. However, it has declined to give a complete list of affected universities, claiming that it wants to respect the privacy of its customers.

As of now the aconfirmed list of affected universities is: University of York, Oxford Brookes University, Loughborough University, University of Leeds, University of London, University of Reading, University College (Oxford), Ambrose University in Alberta (Canada), Human Rights Watch Young Minds, Rhode Island School of Design in the US and the University of Exeter.

The universities have now sent out an email apologising to the students and the alumni who were affected by the hacking activity.

"My main concern is how reassuring - impossibly so, in my opinion - Blackbaud were to the university about what the hackers have obtained," commented Rhys Morgan, a cyber-security specialist and former student at Oxford Brookes University, whose data was involved.

"They told my university that there is 'no reason to believe that the stolen data was or will be misused'. I can't feel reassured by this at all. How can they possibly know what the attackers will do with that information?"

"I doubt that my university has many details that aren't pretty easily available, but I am more concerned about giving in to the blackmail and blithely accepting the word of the blackmailer that all the data has now been destroyed," Matthew Scott, one of the recipients who received the email told the BBC.

After the whole situation was revealed to the universities, Leeds University said, in a statement: "We want to reassure our alumni that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected. No action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant."

Blackbaud will have to participate in investigations for the UK and Canada data authorities as the concernned authorities were informed last weekend, which is weeks after the company noticed the breach in the systems.

UK's Information Commissioner's Office [ICO] said, "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually."