More than 20 universities and charities in the UK, US and Canada, including the University of Liverpool, were hit after hackers attacked cloud computing provider Blackbaud. Tony McDonough reports
Former students of the University of Liverpool are being warned to be vigilant after its alumni database was targeted by hackers.
More than 20 universities and charities in the UK, US and Canada were affected after hackers attacked cloud computing provider, Blackbaud, one of the largest providers of customer relationship management systems.
It was targeted by cybercriminals in May. It notified the universities affected on July 16 who then, in turn, have notified their staff, students, alumni and partners.
The University of Liverpool is now working with Blackbaud to determine exactly what personal data was compromised. However, Blackaud insists no financial information, such as bank or credit card details, was accessed.
Melissa Moulsdale, a former student at the university, was notified by email on July 28 that her data may have been breached. She said: “It’s extremely worrying to know that my personal data has been passed around a ring of criminals.
“The fact that Blackbaud has paid a ransom to the hackers to have our private details destroyed is very concerning too – we have absolutely no way of knowing whether our data has been destroyed or even sold on. It’s incredibly stressful to know that, in theory, my personal details are out there for cyber criminals to access.”
So far, clients of Blackbaud have been affected in different ways, with varying types of data involved. However, in this case it appears that the names and email addresses of the university’s alumni and supporter community were affected.
A University of Liverpool spokesperson said: “The University of Liverpool takes its data security responsibilities very seriously.
“We have launched our own investigation into the incident and are working with Blackbaud and other colleagues in the higher education sector to understand more about the breach and to take appropriate measures to increase security. We have also informed the Information Commissioner’s Office (ICO).”
Mark Montaldo, a director at Liverpool law firm CEL Solicitors, which specialises in data breach claims, added: “We’ve already spoken to former university students who are rightly concerned about what this data breach could mean for them.
“To know your personal data has been hacked by criminals is incredibly worrying and increasingly common as more and more data is stored online. It’s therefore crucial that organisations ensure that every possible measure is taken to protect their members’ personal details and that any third parties’ goals are aligned with their own when it comes to data protection.”
In a statement, Blackbaud said: “The cybercriminal did not access credit card information, bank account information, or social security numbers. We paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”