Homeless charity Crisis suffers data breach through software provider Blackbaud

Homeless charity Crisis warns its thousands of supporters their data is in the hands of cyber criminals after it hackers struck global cloud software provider Blackbaud

  • Crisis charity says thousands of supporter’s data was accessed by hackers 
  • Details of some of the 80,000 supporters were taken from provider Blackbaud
  • Six UK universities also revealed they had been hacked earlier this year 
  • Blackbaud paid hackers undisclosed ransom after promised all data destroyed

By William Cole For Mailonline

Published: 07:01 EDT, 25 July 2020 | Updated: 07:01 EDT, 25 July 2020

A leading homeless charity has become the latest victim of a major data breach that saw six UK universities and several companies attacked by hackers.

Crisis confirmed that the contact details of hundreds of supporters had been taken in a cyber-attack that affected software provider Blackbaud. 

The charity added they were ‘confident’ the hackers were unable to access the encrypted financial information of everyone who had previously donated to Crisis.

In a letter to supporters, Chief Executive Jon Sparkes said he was ‘incredibly frustrated’ by the breach and that the organisation was carrying out a full investigation.

Homeless charity Crisis confirmed that the contact details of hundreds of supporters had been taken in a cyber-attack that affected software provider Blackbaud

Homeless charity Crisis confirmed that the contact details of hundreds of supporters had been taken in a cyber-attack that affected software provider Blackbaud

Homeless charity Crisis confirmed that the contact details of hundreds of supporters had been taken in a cyber-attack that affected software provider Blackbaud

‘We have recently been informed about a cyber-attack that has affected one of our suppliers called Blackbaud, who host our supporter database as well as databases for a number of other organisations,’ he said. 

‘The cyber-attack resulted in details of some of our supporters being accessed. This included names, addresses, email addresses and telephone numbers. All financial information held by Blackbaud is encrypted and we are confident that this has not been breached.

‘Blackbaud have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed and there is currently no evidence of the data being used. Blackbaud has set out further details about the incident here.

‘The breach affected a system that we stopped using in early 2018. Any information that you have given to us since then has not been affected. Please see further details below.’ 

The charity added they were 'confident' the hackers were unable to access the encrypted financial information of everyone who had previously donated to Crisis

The charity added they were 'confident' the hackers were unable to access the encrypted financial information of everyone who had previously donated to Crisis

The charity added they were ‘confident’ the hackers were unable to access the encrypted financial information of everyone who had previously donated to Crisis

Mr Sparkes added that while the risk appears to be very low, supporters should be wary of unknown phone calls or potential email scams.

The news comes days after six UK universities revealed that students and alumni had had data stolen in the attack targeting US-based cloud computer provider Blackbaud. 

Blackbaud paid the hacker an undisclosed ransom after they were promised that all data – which included phone numbers and donation history in some cases – was destroyed. 

The South Carolina-based company said the ransomware hacker ‘did not access credit card information, bank account information, or social security numbers’.

Hackers have stolen student data from six UK universities (including the University of Leeds, pictured) in a global cyber attack targeting US-based cloud computer provider Blackbaud

Hackers have stolen student data from six UK universities (including the University of Leeds, pictured) in a global cyber attack targeting US-based cloud computer provider Blackbaud

Hackers have stolen student data from six UK universities (including the University of Leeds, pictured) in a global cyber attack targeting US-based cloud computer provider Blackbaud

Blackbaud paid the hacker an undisclosed ransom after they were promised that all data - which included phone numbers and donation history in some cases - was destroyed. Pictured: The University of York was one of the institutions affected

Blackbaud paid the hacker an undisclosed ransom after they were promised that all data - which included phone numbers and donation history in some cases - was destroyed. Pictured: The University of York was one of the institutions affected

Blackbaud paid the hacker an undisclosed ransom after they were promised that all data – which included phone numbers and donation history in some cases – was destroyed. Pictured: The University of York was one of the institutions affected

The attack – which also affected a Canadian University and a US design school – happened in May but was not publicly addressed until this month. 

The South Carolina-based company said the ransomware hacker 'did not access credit card information, bank account information, or social security numbers' of students it universities, including Reading (pictured)

The South Carolina-based company said the ransomware hacker 'did not access credit card information, bank account information, or social security numbers' of students it universities, including Reading (pictured)

The South Carolina-based company said the ransomware hacker ‘did not access credit card information, bank account information, or social security numbers’ of students it universities, including Reading (pictured)

The University of York, Oxford Brookes University, Loughborough University, University of London, University of Leeds and University of Reading are apologising to students, faculty and donors for the breach.

Ambrose University in Canada and  Rhode Island School of Design in America were also hit – as were Human Rights Watch and charity Young Minds, BBC News reports. 

A statement on the company’s website read: ‘After discovering the attack, our Cyber Security team – together with independent forensics experts and law enforcement -successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. 

‘Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. 

‘The cybercriminal did not access credit card information, bank account information, or social security numbers. 

‘Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.’

The attack - which also affected a Canadian University and a US design school - happened in May but was not publicly addressed until this month. Pictured: Oxford Brookes University was one of the ones affected

The attack - which also affected a Canadian University and a US design school - happened in May but was not publicly addressed until this month. Pictured: Oxford Brookes University was one of the ones affected

The attack – which also affected a Canadian University and a US design school – happened in May but was not publicly addressed until this month. Pictured: Oxford Brookes University was one of the ones affected

The University of York, Oxford Brookes University, Loughborough University, University of London (pictured), University of Leeds and University of Reading are apologising to students, faculty and donors for the breach

The University of York, Oxford Brookes University, Loughborough University, University of London (pictured), University of Leeds and University of Reading are apologising to students, faculty and donors for the breach

The University of York, Oxford Brookes University, Loughborough University, University of London (pictured), University of Leeds and University of Reading are apologising to students, faculty and donors for the breach

The FBI, National Crime Agency and Europol usually advise against paying what the hacker demands.

The statement adds: ‘Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.’

One of the impacted former students, cyber-security specialist Rhys Morgan said: ‘My main concern is how reassuring – impossibly so, in my opinion – Blackbaud were to the university about what the hackers have obtained.’

Advertisement
Read more:

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow by Email
Pinterest
LinkedIn
Share