A combined ransomware and data breach attack on a US cloud computing provider in May has affected many more universities and non-profits than at first thought.
Infosecurity reported on Wednesday how the University of York in northern England had notified affected staff and students that their personal details may have been compromised as a result of the incident at Blackbaud two months ago.
However, the list of affected Blackbaud customers now stretches to 12, including several more universities in the UK and North America, plus Human Rights Watch and mental health charity Young Minds, according to the BBC.
University College Oxford, the University of London, Canada’s Ambrose University and the Rhode Island School of Design are among those higher education institutions impacted. They’re all said to be in the process of contacting those affected by the breach.
Blackbaud has been criticized for its slow response to the incident, which may put it at risk of a GDPR investigation.
The firm said in a lengthy but undated statement that it discovered and blocked a ransomware attack on its servers back in May, but that “the cyber-criminal removed a copy of a subset of data from our self-hosted environment.
“As protecting our customers’ data is our top priority, we paid the cyber-criminal’s demand with confirmation that the copy they removed had been destroyed,” it said.
“Based on the nature of the incident, our research and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused, or will be disseminated or otherwise made available publicly.”
Cath Goulding, CISO at Nominet, argued that it was “worrying” that the firm had paid the ransom, against general best practice advice, adding that this could encourage future attacks.
“Once again, multiple parties have been exploited through a common component in their supply chain. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise across organizations and between them,” she said.
“It is important to scrutinize your supply chain, understand their processes and ensure due diligence is done to mitigate the risk of an attack. Ideally you should be looking for suppliers that have at least the same security principles as you do.”
Despite paying the ransomware attackers in this case, Blackbaud maintains that it follows “industry standard best practices.” It has reportedly refused to reveal the full list of clients affected by this breach out of privacy concerns.
The UK’s Information Commissioner’s Office (ICO) has been notified about the case.