The data of eight universities in the US, Canada, and the UK have been compromised by hackers, after the malicious actors launched a ransomware cyberattack at the firm responsible for administrating those schools’ data.
Hackers targeted Blackbaud, a cloud computing firm that provides services to education institutions, non-profits, religious organizations, healthcare organizations, and foundations. The eight educational institutions confirmed to have been affected by the Blackbaud hack include:
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
On a statement on its website, the US-based Blackbaud revealed that it was hacked last May and chose to disclose news of the attack this month. The company also explained that it did not want to provide a list of those impacted by the hack, saying that it wanted to respect the privacy of those customers.
“The majority of our customers were not part of this incident,” the cloud computing company added.
Some of the stolen data included phone numbers, donation history and events attended. It does not appear that credit card and other payment details were exposed, BBC News reported.
In a statement to BBC News, Blackbaud said that the cybercriminal responsible for the hack stole “a copy of a subset of data” from the firm’s systems. The company also confirmed that it had paid the ransom demanded by the hackers, and was given confirmation from the attackers that the data they copied off was destroyed.
BBC News also confirmed that apart from the universities the non-profit Human Rights Watch and children’s mental health charity Young Minds were also affected by the Blackbaud hack. The Rhode Island School of Design in the US was also impacted by the ransomware attack.
Cyber security firm Emsisoft warned in a recent blog post that ransomware attacks have increasingly involved data breaches, as more hackers not only lock out victims from their computer systems, but also threaten to leak the data stolen.