British universities are waking up to last week's ransomware attack on cloud CRM purveyor Blackbaud – though it appears some haven't realised the American software company paid the ransom.
As hack notifications started filtering through the world of student and alumni relations management software, news reports emerged this week of universities alerting people to a supply chain attack.
Uncommonly well-informed people knew all about it by reading The Register's report of the Blackbaud ransom payment last week, but mere Muggles only heard of it when universities began informing students, staff and alumni that their personal data had been nicked.
Cloud biz Blackbaud caved to ransomware gang's demands – then neglected to inform customers for two monthsREAD MORE
The BBC put together a list of UK institutions subscribing to Blackbaud services. Of those, a dozen had been affected – including the Universities of York, Leeds, Manchester and Exeter among others – while five, including Queen's University Belfast and University College London, said they had not.
Blackbaud was struck by ransomware in May that locked up files on its "self-hosted" systems and not those running on AWS or Azure cloud environments. As the company admitted in a statement two months later: "Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
The University of Manchester sent its alumni an email, seen by The Register, which said in part:
Blackbaud has confirmed to us that:
- it has conducted an investigation (involving law enforcement agencies);
- no passwords, credit card details or bank account information were affected;
- and it obtained confirmation that the data removed by the cybercriminal was destroyed;
- it has no reason to believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly.
The University of York told its students and alumni on Wednesday that names, dates of birth, student numbers, addresses, phone and email addresses, fundraising details (including details of donations), details of occupation and employer details were among the data stolen, according to student news site York Mix.
Leeds University alumnus Chloe Roche told the Yorkshire Post that her former institution had passed on the news that Blackbaud paid off the ransomware criminals in exchange for a promise that the crims would delete the stolen data.
She said: "We have been notified that Blackbaud have paid a ransom for the hackers to destroy our private information, but I find that really disconcerting too. Ultimately, we've no way of knowing what has actually been done with our data and the idea that a company is being blackmailed for it makes me feel really uneasy. The potential for it to be sold or passed on also worries me so it's very stressful."
Over on Twitter, Blackbaud's social media department failed to acknowledge the data breach. Its latest tweet at the time of writing was something about corporate social responsibility:
Our #CSR leader, @RachelHutchssn, recently took to the mainstage of @socinnovation to share insights into the future of giving + philanthropy. Take a look: https://t.co/3dsnerxNlo pic.twitter.com/H43NlgL4Ga— Blackbaud (@blackbaud) July 23, 2020
Supply chain attacks, where middlemen and processors of important data become targets rather than companies or institutions themselves, are lower-profile targets than they otherwise might be. Until, that is, something like this happens.
So far there is no information on how the criminals got into Blackbaud's network to spread their ransomware. Paying the ransom, however, merely encourages them and sustains the criminal business model. Don't do it – and don't trust assurances from criminals that they'll stick by their word. They're criminals, after all. ®