National Trust joins victims of Blackbaud hack

BBC Technology 30 Jul 2020 09:29
By Leo Kelion & Joe Tidy Technology reporters
National Trust propertyImage copyright Reuters

The UK's National Trust is among a growing list of organisations to issue data breach alerts after an attack on cloud computing provider Blackbaud.

Others include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds.

The UK's Information Commissioner's Office (ICO) told the BBC that 125 organisations had reported to it in relation to the incident "so far".

They include dozens of universities.

And internationally, museums, schools, churches and food banks have also been affected.

"BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries," a spokeswoman for the ICO said.

"Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted."

Internal investigation

The organisation - which looks after historic buildings and gardens - added that an internal investigation was under way to assess if further action was needed.

"We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission." 

"We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," said a spokeswoman.

Other universities have said that data on current staff and students was involved, in addition to that of past graduates.

Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom. However, the US firm only advised its clients of the breach this month, which is why notices are only now being sent to members of the public.

Image copyright Blackbaud

But a source has told the BBC that in some cases it involved donors details including:

Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted.

This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.

Blackbaud has said that at "every point we were working closely with law enforcement and other specialists".

However, neither it nor the ICO has yet revealed when the UK watchdog was notified.

Blackbaud has declined to name or number the organisations impacted, beyond saying it is a "subset" of its thousands of clients.

The problem is so widespread across the higher education sector that some universities - including the University of Edinburgh and Aston University, Birmingham - have posted notices to say their data was not involved.

ACS International, which teaches children in London, Surrey and Qatar, has also said there is a "low threat" risk to its "alumni's and friends' information".

Beyond the UK, Hungary's Central European University is among those to have confirmed involvement.

But the other international organisations confirmed by the BBC have all been US and Canada-based.

UK educational institutions:

Image copyright PA Media

Other UK non-profits:

International organisations:

Image copyright Getty Images

Please include a contact number if you are willing to speak to a BBC journalist.

Continue reading original article...


You may also like