Blackbaud hack: Second Welsh university's data attacked in hack

A second Welsh university has confirmed it was one of more than 20 institutions across the world to have been affected by hackers attacking a cloud provider.

The University of South Wales said it understood "email addresses and names of a section of our alumni database" were attacked in the Blackbaud hack.

The education software giant was held to ransom by hackers in May and paid an undisclosed ransom to cyber-criminals.

Aberystwyth University had previously admitted some of its data had been hit.

Blackbaud is the world's largest provider of education administration, fundraising, and financial management software.

The US-based firm declined to provide a complete lists of those affected but institutions in the UK, US and Canada have been affected, including a number of prominent UK universities.

The latest to confirm is the University of South Wales, which has campuses in Cardiff, Newport, Pontypridd and Dubai, and is Wales' second largest university.

"Since being told of this, we have been working to get an understanding of what data was breached from our records," a spokesperson said.

"We understand this to have been the email addresses and names of a section of our alumni database. We have now contacted all those whose details we believe were included. 

"We are in contact with the supplier to find out why there was a delay in informing us of the data breach, and to assure us that there is no likelihood the incident will be repeated." 

The university - formed in 2013 from a merger of the University of Glamorgan and University of Wales, Newport - has reported the breach to the Information Commissioner's Office.

Blackbaud, a company based in South Carolina, has been criticised for not disclosing the hacking of their systems externally until July and for having paid the hackers an undisclosed ransom.

"The majority of our customers were not part of this incident," the company has said.

It referred the BBC to a statement on its website, external: "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

The statement goes on to say Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.

Blackbaud added that it had been given "confirmation that the copy [of data] they removed had been destroyed".

It has said it is working with law enforcement and third-party investigators to monitor whether or not the data is being circulated or sold on the dark web, for example.

Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident or face potential fines.

The UK's Information Commissioner's Office (ICO), as well as the Canadian data authorities, were informed about the breach last weekend - weeks after Blackbaud discovered the hack.

An ICO spokeswoman said: "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually."