Sussex has confirmed that student data was compromised during a cyber-attack on Blackbaud, a company it uses that provides administrative and financial technology to non-profit organisations such as universities.
By Ewan Vellinga
In an email addressed to alumni on July 23, the university said: “on 16 July, the company informed us that it had discovered and stopped a ransomware attack on its systems, although some data was compromised.”
The stolen data is reported to include biographical information, such as names, study, employment and contact details, and information regarding the relationship between individuals and Sussex, such as event participation and giving history. It was, however, emphasised that no financial data was stolen.
It is not clear whether all staff and students have been affected. One institution told the BBC that a Blackbaud product called NetCommunity, which concerns alumni, was involved. This may explain the fact that Sussex initially confirmed the breach via an email sent to its alumni.
Sussex is the latest in a number of UK, US and Canadian universities, schools and charities to confirm this week that they were affected. The attack itself occurred in May, but Blackbaud did not inform its customers until July 16.
Blackbaud claim that, during the attack, the cybercriminals were quickly expelled from its system, but not before a subset of data from its self-hosted environment was copied. The company subsequently paid the ransom, after which they were told that the copied information had been destroyed.
The company claims that most of its customers were not affected, and that “based on the nature of the incident, our research, and third party (including law enforcement) investigation we have no reason to believe that any data went beyond the cybercriminal, was or will be misused.”
However, the way in which the breach was handled has brought up a number of questions. Firstly, Blackbaud has not yet revealed the ransom sum, nor how many of its customers were actually affected by the incident.
An article in the BBC also states that, although not illegal, most law enforcement agencies advise against paying ransoms, whilst also noting that “under the General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident,” which Blackbaud failed to do.
Sussex has also expressed concern, having notified the Information Commissioner’s Office (IOC) of the breach, and stating that they are working with Blackbaud to ensure that all of the university’s data remains secure, whilst also seeking an explanation for why it took so long for the company to acknowledge the breach.
However, Sussex also stated in its email to alumni that there is no need to be alarmed, and that there was no need for individuals to take any action at this time.
Picture credit: Ak689