Hackers have compromised student and alumni data in at least eight universities in the UK and Canada including University of York, University College, Oxford, University of Leeds and University of London via a massive attack on a US-based software provider called Blackbaud.
Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software, was hacked in May and it did not disclose this externally until July and for having paid the hackers an undisclosed ransom, reports the BBC.
Now, it has been learnt that at least 8 universities have suffered data breach.
Oxford Brookes University, Loughborough University, University of Reading, Ambrose University in Alberta, Canada, Human Rights Watch, Young Minds and Rhode Island School of Design in the US are among those impacted.
“All the institutions are sending letters and emails apologising to those on the compromised databases,” the report said on Friday.
The compromised data involves former students, staff, existing students and other supporters.
In some cases, the stolen data included phone numbers, donation history and events attended.
Credit card and other payment details do not appear to have been exposed, according to the report.
Blackbaud did not provide the information on those impacted, saying it wanted to “respect the privacy of our customers” and was working with law enforcement and third party investigators to check if data is being circulated or sold on the Dark Web.
“We want to reassure our alumni that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected,” Leeds University said in a statement.
Blackbaud in July admitted the hack.
“While this sophisticated ransomware attack happened, we were able to shut it down and have no reason to believe this will result in any public disclosure of any of our customers’ data,” Blackbaud President and CEO Mike Gianoni told The NonProfit Times.
Blackbaud paid a ransom to have the hijacked data destroyed by the cybercriminals but did not reveal the amount.