A number of prominent UK universities are amongst hundreds of organisations globally whose data has been stolen in a ransomware attack on cloud-computing provider Blackbaud. Remarkably, it has emerged that Blackbaud was attacked back in May but waited two months to inform its users. It has also emerged that they paid an undisclosed ransom in return for “confirmation” that the stolen data had been destroyed. Unsurprisingly, Blackbaud are being widely criticised for both the payment of a ransom to criminals and the delay in informing customers. Given their poor handling of the incident it is debatable how reassured we can be by the company’s claims that:
- “The majority of our customers were not part of this incident”; and
- There is “no reason to believe that the stolen data was or will be misused”.
Universities and charities typically use Blackbaud to manage alumni and donor relations so, in many cases, the personal data stolen is fairly limited. However there are exceptions; it is reported that the University of York has told its students and alumni that student numbers, addresses, phone and email addresses, details of occupation and employer details were among the data stolen.
Whilst the current focus is on the failings of Blackbaud, there are ongoing wider concerns over information security issues within the higher education sector. According to a recent survey by Redscan (to which 86 UK institutions responded):
- Only 54% of university staff had received any information security training; and
- Over half of universities had reported at least one data breach to the Information Commissioner’s Office (ICO).
This tallies with the UK Government’s Cyber Security Breaches Survey 2020, which found that 80% of Further and Higher Education establishments were aware of a breach or attack. Given the value of the intellectual property, and the quantity of sensitive personal data on staff and students, that universities hold; these figures are very worrying.