A Welsh university has confirmed it was one of more than 20 institutions in the UK, US and Canada that has been affected after hackers attacked a cloud computing provider.
Aberystwyth University has reassured current students and alumni that “no bank account or credit card details were taken” in the attack.
The hack targeted Blackbaud, who are a leading provider of education financial management and administration software.
The ransomware attack happened in May.
Aberystwyth University it is “urgently investigating” after confirming the hack “affected a university alumni and supporter web portal and information management system.”
Blackbaud, a US-based company, has been criticised for not disclosing the hacking of their systems externally until July and for having paid the hackers an undisclosed ransom.
In some of the attacks on other universities, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
About 10,000 students study at the 148-year-old mid Wales institution every year and the university said it has had reassurances that the “stolen data has now been destroyed and has no reason to believe it was misused”.
“Blackbaud has offered assurances that no bank account or credit card details were taken,” said a university spokesperson.
“We take data security extremely seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.
“We are in the process of contacting those online portal users and recipients of our alumni and supporter e-newsletters whom we believe may have been affected.”
The university has reported the breach to the Information Commissioner’s Office and has said it “will cooperate fully with any further steps they wish to take.”
Other institutions have also been affected include University of York, Loughborough University, University of London and University College, Oxford.
Firm ‘paid ransom demand’
Blackbaud, whose headquarters are based in South Carolina, declined to provide a complete lists of those impacted, saying it wanted to “respect the privacy of our customers”.
“The majority of our customers were not part of this incident,” the company claimed.
It referred the BBC to a statement on its website: “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”
The statement goes on to say Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.
Blackbaud added that it had been given “confirmation that the copy [of data] they removed had been destroyed”.
Blackbaud has said it is working with law enforcement and third party investigators to monitor whether or not the data is being circulated or sold on the dark web, for example.
Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.
An ICO spokeswoman said: “Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually.”