Exeter Alumni database affected in Blackbaud ransomware attack
Print Editor Bryony Gooch reports on how the Blackbaud ransomware attack has affected the University of Exeter
On 24 June, The University of Exeter confirmed it was affected by a Blackbaud ransomware attack that affected universities across the UK, US and Canada.
A University of Exeter spokesperson confirmed to Exeposé that the attack had only affected “an alumni database.”
Those affected by the breach received emails confirming their personal data “may have been affected in this data security incident”.
The email stated that “Blackbaud have confirmed to us that no encrypted information, including bank details, credit card information, or passwords have been compromised.”
However, a list of data potentially compromised was listed as:
- Personal such as name, gender, date of birth
- Contact details such as postal and email addresses and telephone numbers
- Details of educational records such as the qualification(s) you received from Exeter, year of graduation and any interests you had as a student such as membership of sports clubs and other student societies
- Details of your engagement with the University since graduation, such as records of events you attended, donations you have made or volunteering activity you participated in.
- Detail of your career such as your employment history, employer name and job title
- Any other information you may have shared with the University, such as your current interests.
Of course the University isn’t responsible for this leak but I would hope that they will ask the appropriate questions to Blackbaud.
Affected alumnus
Exeposé spoke to an alumnus affected by the breach about how they felt about the situation:
“This feels pretty terrible, I’m usually conscientious when it comes to keeping my personal data safe but this kind of breach proves that there’s a limited amount that any one person can do to make sure of that.
“Of course the University isn’t responsible for this leak but I would hope that they will ask the appropriate questions to Blackbaud. For example, why wasn’t this highly sensitive personal data encrypted? Why would Blackbaud take a random criminal’s word for it that they’ve deleted the information? What are Blackbaud going to do if UK students end up having their personal information sold on the dark web?”
Further to the University’s relationship with Blackbaud, the affected party stated:
“I hope that Exeter will immediately stop using Blackbaud’s services given that they have proven themselves to be untrustworthy when it comes to keeping sensitive personal information secure and private.”
Blackbaud have confirmed to us that no encrypted information, including bank details, credit card information or passwords have been compromised but some information about the individual may have been accessed.
A University of Exeter spokesperson
A University of Exeter spokesperson said of the incident:
“The University of Exeter is a customer of Blackbaud – a third-party computer software provider – who have recently informed us of a data security incident. Along with many other UK universities, the University of Exeter uses Blackbaud systems to hold the data of alumni and current or potential supporters and we understand that the data the cybercriminal accessed included a small proportion of Exeter-related data.
“Blackbaud have confirmed to us that no encrypted information, including bank details, credit card information or passwords have been compromised but some information about the individual may have been accessed. We have written to those who may have been affected to say we do not believe there to be a significant risk but to recommend that individuals remain vigilant to the possibility of identity theft or fraud. The University of Exeter will continue to work closely with Blackbaud, the HE sector, and the ICO to ensure that any risks are mitigated.”
Blackbaud’s full statement on the incident can be found here.
