Loughborough is one of 11 UK universities to have suffered a data breach after hackers gained access to a third party computing services provider.
Blackbaud is a provider of financial and fundraising systems to non-profits and higher education institutes worldwide and in May 2020 a hacker was able to gain access to their systems and take a copy of some data stored on their servers. The attack sought to raise funds by committing a ‘ransomware’ attack whereby sensitive information is withheld from an organisation until a ransom has been paid.
Blackbaud has attracted criticism from industry experts for the way in which it dealt with the attack by paying the demanded ransom, which goes against the advice of security agencies such as the FBI and NCA. It has also been criticised for the length of time taken for Blackbaud to disclose details surrounding the attack to the institutions involved and notify the Information Commissioners Office (ICO), as the attack took place in May but notification was not made until last week (16/07/20).
Loughborough University has has a relationship with Blackbaud since at least 2012, and use their services to store details of some alumni and financial supporters. Label understands that this was the only information stored with Blackbaud and that no student or staff information was at risk. The University and Blackbaud confirmed that the data compromised did not include financial information or passwords and that the ICO had been informed. The University is now in the process of writing to affected individuals.
A Loughborough University spokesperson said:
“We can confirm that there has been a data breach affecting a third-party company called Blackbaud. This company provides a platform that hosts parts of our alumni and supporter database. Many UK universities use Blackbaud and this incident has affected numerous institutions across the country, not just Loughborough.
“The data that has been compromised does not include any bank account, credit card information or passwords, and we have written to all those impacted to apologise for this incident and provide further information. The University has also reported the data breach to the Information Commissioner’s Office (ICO).”
Have you been affected by this story? We want to hear from you