A total of 125 UK organisations have now contacted the Information Commissioner's Office to report that they have been affected by the Blackbaud data breach, including a handful of prominent universities and charities.

A week ago it was revealed that US cloud computing leader Blackbaud - a provider specialising in the charity and education sectors - had admitted to paying off hackers to delete a copy of confidential data that had been stolen during a successful ransomware attack back in May. The University of York were the first of many clients to speak out on this issue, demanding more information from the firm regarding the significant delay for this information to be shared with their customer base, as well as additional details surrounding the stolen data itself.

This was followed by charities like the National Trust, Crisis and Young Minds announcing they too were affected by the breach, as well as dozens other universities in the UK, US and Canada including Oxford Brookes University, Loughborough University, University of London, University of Leeds and University of Reading.

Blackbaud tried to down play the incident last week, assuring clients that no payment card or bank account information had been compromised, however it has since been confirmed that comparatively sensitive information such as personally identifiable information, addresses, estimated wealth and more was indeed leaked in some cases.

 

About the ransomware attack

Blackbaud has stated that it first became aware of the threat in May, and shortly after paid the attackers a ransom in order to have the stolen data be destroyed, however this is only coming to light now as affected clients of the company were not informed about the breach for 2 months following the incident.

Although Blackbaud have insisted they received confirmation from the cyber criminals that the stolen data was indeed destroyed, security experts from the consultancy firm Privacy Matters questioned the trustworthiness of this claim, stating:

"The hackers would know these people have a propensity to support good causes. This would be valuable information to fraudsters who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details."

Blackbaud has also emphasised that changes have been made to avoid similar attacks taking place in the future, stating, "We believe the strength of our cybersecurity practice and advanced planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again."

 

Businesses must remain vigilant about supply chain data protection

Protecting your organisation from the threat of supply chain partners falling victim to cyber attacks is a tough problem to solve, as it is almost entirely out of your hands as a separate business entity - however, there are a handful of ways you can reduce your risk.

To offer some more clarity on this, we have highlighted 3 key best practices to help improve your supply chain cyber security:

  1. Organise & classify your supply chain list
    The first step every business should take in reducing the risk of supply chain cyber attacks is the simple but often overlooked process of keeping an organised list of all of your third-party partners and providers, including important information such as the data they have access to, and the security measures they have in place if known.
    This will allow you to keep track of any outdated services your company may no longer need - of course the smaller your list, the less third-party risk you face - as well as highlight more high-risk firms - e.g. those with access to the most sensitive or biggest volume of data - to help guide future business decisions. 

  2. Appoint a Data Protection Officer
    Having a Data Protection Officer to focus their attention fully on keeping business data secure is a recommended practice overall, but in relation to supply chain management it can be especially helpful as online threats and their counterpart security solutions are constantly evolving, so time-consuming tasks like regularly checking in on your vendors to verify their security procedures as well as updating cyberattack response plans in response to new attack tactics are becoming increasingly vital.

  3. Create a Culture of Cyber Awareness
    Cyber awareness training is being increasingly discussed by industry experts outside of conversations focused on just spear phishing and social engineering - and for good reason. Creating a company-wide culture of security awareness - including users in partner and vendor companies - through the use of regular and up-to-date training can drastically reduce your chances not only of falling for these attacks that specifically pray on human error, but also those that target software or server vulnerabilities as employees are more likely to be vigilant when setting up and monitoring relevant protections.

    So, when next reviewing your security awareness training strategy, as well as considering how that will apply to your own users, make sure to start a discussion with your supply chain about the measures they have in place and their plans for the next year.