King’s has been named as a victim of a ransomware cyberattack on the US-based cloud service, Blackbaud, ComputerWeekly and the BBC have reported.
Blackbaud was made aware of the incident in May but only notified its UK customers on July 16. They reported that cybercriminals locked affected companies out of their servers and took a copy of a subset of data, asking for a ransom payment of an undeclared amount.
Against the advice of law enforcement agencies such as the FBI, NCA, and Europol, Blackbaud reportedly paid the criminal’s demand on the basis that “protecting customers’ data is [their] top priority†and allegedly having received “confirmation that the copy they removed had been destroyed.â€
Blackbaud did not declare what data was compromised but said it did not include credit card information, bank account information, or social security numbers. King’s Executive Director of Development, Jennie Younger, corroborated this, explaining that “these were not stored on this Blackbaud platform.â€
But, she added in that the compromised data could have included personal details such as names, titles, genders, and dates of birth, and contact details like postal addresses, emails, and phone numbers.
Blackbaud does not believe that the data was or will be shared beyond the criminal or will be misused or disseminated, based on “the nature of the incident, our research, and third party (including law enforcement) investigation.â€
However, they also said that their Cyber Security team successfully expelled the criminal from their systems, preventing them from completely blocking access to the system and encrypting files.
Despite Blackbaud’s assurances, King’s College London has terminated its contract with the cloud service and reported the breach to the Information Commissioner’s Office (ICO). They are also investigating the incident alongside the university Data Protection Officer, Blackbaud and other Higher Education institutions.
Students and staff have been advised to avoid disclosing financial information or passwords to anyone over email and to contact [email protected] or call 020 7848 3053 with any concerns.
Kings’ statement is dated 14th August, almost one month after the university was made aware of the breach.
King’s are among 120 organisations to have been affected by the breach, which include universities, charities, private schools, the National Trust, and the British Labour Party.
An ICO spokesperson said “organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted. Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied.â€
Microsoft Security Intelligence has found that 61% of nearly 7.7 million enterprise malware encounters reported in the past month targetted the education sector, making it the worst affected industry of all those recorded.
They also found that the UK, despite its small population size, is one of the worst affected nations by malware attacks, recording 1.04 million attacks across a population of 67.9 million.
Jamie Akhar, CEO of CyberSmart, fears that as universities shift to online learning due to COVID-19, they are lacking the IT resources necessary to protect against such attacks.
“Last year, a hacker-simulation test proved 100% successful in breaching 50 universities across the country to access student and staff personal data, financial systems and valuable research networksâ€, he told ComputerWeekly.
A report by RedScan found that 54% of UK universities reported at least 1 data breach to the ICO in the past year, which CTO Mark Nicholls says “simply underscores the scale of the challenges universities face protecting data.†It also found that only 29% of universities commission more than one third party penetration test per year.
The report concludes that “universities are under significant financial pressure, particularly given the impact of COVID-19. However, it is important they maintain a clear focus on cybersecurity and identify ways to assure the security and safety of their data and that of their students. The financial and reputational damage of failing to do so is too great.â€
