Blackbaud Hack: Aberystwyth college’s information attacked in world hack

Old college Image copyright Aberystwyth University
Image caption Aberystwyth’s Old College on the seafront was constructed within the 1860s

A Welsh college has confirmed it was one among greater than 20 establishments within the UK, US and Canada that has been affected after hackers attacked a cloud computing supplier.

Aberystwyth University has reassured present college students and alumni that “no bank account or credit card details were taken” within the assault.

The hack focused Blackbaud, who’re a number one supplier of schooling monetary administration and administration software program.

The ransomware assault occurred in May.

Aberystwyth University it’s “urgently investigating” after confirming the hack “affected a university alumni and supporter web portal and information management system.”

Blackbaud, a US-based firm, has been criticised for not disclosing the hacking of their techniques externally till July and for having paid the hackers an undisclosed ransom.

In among the assaults on different universities, the information was restricted to that of former college students, who had been requested to financially help the institutions they’d graduated from. But in others it prolonged to workers, current college students and different supporters.


About 10,000 college students examine on the 148-year-old mid Wales establishment yearly and the college mentioned it has had reassurances that the “stolen data has now been destroyed and has no reason to believe it was misused”.

“Blackbaud has offered assurances that no bank account or credit card details were taken,” mentioned a college spokesperson.

“We take data security extremely seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.

“We are within the strategy of contacting these on-line portal customers and recipients of our alumni and supporter e-newsletters whom we consider might have been affected.”

Image caption Aberystwyth University has three academic faculties and 17 departments

The university has reported the breach to the Information Commissioner’s Office and has said it “will cooperate totally with any additional steps they want to take.”

Other institutions have also been affected include University of York, Loughborough University, University of London and University College, Oxford.

Firm ‘paid ransom demand’

Blackbaud, whose headquarters are based in South Carolina, declined to provide a complete lists of those impacted, saying it wanted to “respect the privateness of our prospects”.

“The majority of our prospects weren’t a part of this incident,” the corporate claimed.

It referred the BBC to an announcement on its web site: “In May of 2020, we found and stopped a ransomware assault. Prior to our locking the cyber-criminal out, the cyber-criminal eliminated a replica of a subset of information from our self-hosted atmosphere.”

The statement goes on to say Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.

Blackbaud added that it had been given “affirmation that the copy [of data] they eliminated had been destroyed”.

Blackbaud has said it is working with law enforcement and third party investigators to monitor whether or not the data is being circulated or sold on the dark web, for example.

Privacy law

Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.

The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.

An ICO spokeswoman said: “Blackbaud has reported an incident affecting a number of information controllers to the ICO. We shall be making enquiries to each Blackbaud and the respective controllers, and encourage all affected controllers to guage whether or not they should report the incident to the ICO individually.”