This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at https://www.bbc.co.uk/news/technology-53567699
The article has changed 8 times. There is an RSS feed of changes available.
| Version 1 | Version 2 |
|---|---|
| National Trust joins victims of Blackbaud hack | National Trust joins victims of Blackbaud hack |
| (32 minutes later) | |
| The UK's National Trust is among more than 80 organisations that have confirmed data breaches resulting from an attack on cloud computing provider Blackbaud. | The UK's National Trust is among more than 80 organisations that have confirmed data breaches resulting from an attack on cloud computing provider Blackbaud. |
| Others involved include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds. | Others involved include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds. |
| Dozens of British universities have also alerted past and present students. | Dozens of British universities have also alerted past and present students. |
| Museums, schools, churches and food banks have also been affected. | Museums, schools, churches and food banks have also been affected. |
| The UK's Information Commissioner's Office (ICO) has said it is investigating the matter and is therefore limited in what it can say at this time. | The UK's Information Commissioner's Office (ICO) has said it is investigating the matter and is therefore limited in what it can say at this time. |
| Internal investigation | Internal investigation |
| The National Trust said that data about its volunteering and fundraising communities had been involved, but not that of its wider 5.6 million members. | The National Trust said that data about its volunteering and fundraising communities had been involved, but not that of its wider 5.6 million members. |
| The organisation - which looks after historic buildings and gardens - added that an internal investigation was under way to assess if further action was needed. | The organisation - which looks after historic buildings and gardens - added that an internal investigation was under way to assess if further action was needed. |
| "We are currently in the process of identifying and informing those affected," Jon Townsend, the trust's chief information officer, explained. | "We are currently in the process of identifying and informing those affected," Jon Townsend, the trust's chief information officer, explained. |
| "We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission." | "We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission." |
| The University of Newcastle was another body to make a public disclosure after being contacted by the BBC. | The University of Newcastle was another body to make a public disclosure after being contacted by the BBC. |
| "We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," said a spokeswoman. | "We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," said a spokeswoman. |
| "We apologise for any concern or inconvenience caused... and we have initiated a security review." | "We apologise for any concern or inconvenience caused... and we have initiated a security review." |
| Ransomware payment | Ransomware payment |
| Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom. However, it only advised its clients of the breach this month, which is why notices are only now being sent to members of the public. | Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom. However, it only advised its clients of the breach this month, which is why notices are only now being sent to members of the public. |
| Some of them specifically make mention of two of Blackbaud's platforms - Raiser's Edge and NetCommunity - which are commonly used to keep track of donors and the sums they have given. | Some of them specifically make mention of two of Blackbaud's platforms - Raiser's Edge and NetCommunity - which are commonly used to keep track of donors and the sums they have given. |
| Blackbaud has said the data did not include bank account or payment card details. | Blackbaud has said the data did not include bank account or payment card details. |
| But a source has told the BBC that in some cases it involved donors details including: | But a source has told the BBC that in some cases it involved donors details including: |
| Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted. | Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted. |
| "The hackers would know these people have a propensity to support good causes," commented Pat Walshe from the consultancy Privacy Matters. | "The hackers would know these people have a propensity to support good causes," commented Pat Walshe from the consultancy Privacy Matters. |
| This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details. | This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details. |
| Mr Walshe also questioned if there had been a breach of the GDPR privacy law, which requires major personal data breaches to be flagged to regulators within 72 hours of discovery. | Mr Walshe also questioned if there had been a breach of the GDPR privacy law, which requires major personal data breaches to be flagged to regulators within 72 hours of discovery. |
| Blackbaud has said that at "every point we were working closely with law enforcement and other specialists". | Blackbaud has said that at "every point we were working closely with law enforcement and other specialists". |
| However, neither it nor the ICO has yet revealed when the UK watchdog was notified. | However, neither it nor the ICO has yet revealed when the UK watchdog was notified. |
| Jewish schools | Jewish schools |
| Blackbaud has declined to name or number the organisations impacted, beyond saying it is a "subset" of its thousands of clients. | Blackbaud has declined to name or number the organisations impacted, beyond saying it is a "subset" of its thousands of clients. |
| However, the BBC has identified some of these by contacting them directly and tracking down online notices of the security breaches. | However, the BBC has identified some of these by contacting them directly and tracking down online notices of the security breaches. |
| The problem is so widespread across the further education sector that some universities - including the University of Edinburgh and Aston University, Birmingham - have posted notices to say their data was not involved. | |
| Some schools have also been affected, including St Albans in Hertfordshire. ACS International, which teaches children in London, Surrey and Qatar, has also said there is a "low threat" risk to its "alumni's and friends' information". | |
| In addition, Maccabi GB - an organisation that provides services to 44 Jewish primary and secondary schools - has told supporters their data was among that compromised. | In addition, Maccabi GB - an organisation that provides services to 44 Jewish primary and secondary schools - has told supporters their data was among that compromised. |
| Beyond the UK, Hungary's Central European University is among those to have confirmed involvement. | Beyond the UK, Hungary's Central European University is among those to have confirmed involvement. |
| But the other international organisations confirmed by the BBC have all been US and Canada-based. | But the other international organisations confirmed by the BBC have all been US and Canada-based. |
| They include several cancer charities, human rights campaigns, public radio stations and religious groups, in addition to schools, colleges and universities. | They include several cancer charities, human rights campaigns, public radio stations and religious groups, in addition to schools, colleges and universities. |
| UK educational institutions: | UK educational institutions: |
| Other UK non-profits: | Other UK non-profits: |
| International organisations: | International organisations: |
| Do you know of further related breaches or been personally affected by the issues raised in this story? Share your experiences by emailing haveyoursay@bbc.co.uk. | Do you know of further related breaches or been personally affected by the issues raised in this story? Share your experiences by emailing haveyoursay@bbc.co.uk. |
| Please include a contact number if you are willing to speak to a BBC journalist. | Please include a contact number if you are willing to speak to a BBC journalist. |
| Or use the form below: | Or use the form below: |