Blackbaud data breach – millions of people’s bank details and passwords may have been stolen

  • Posted on

Bank account details and passwords may have been stolen by hackers who targeted fundraising software used by many universities, schools, charities and other organisations.

Developer Blackbaud was targeted by a cyberattack in May 2020, in which hackers broke into the developer’s systems and stole personal data relating to donors and others who had shared those details with Blackbaud’s customers.

When Blackbaud initially went public with details of the cyberattack in July 2020, it stated that the attackers did not access customers’ payment details. However, the developer has now admitted that payment details and passwords may have been compromised.

Organisations believed to have been affected by this latest development include the University of Birmingham and the National Trust.

The matter has been referred to the Information Commissioner's Office (ICO), who told the BBC:

"Our investigation is ongoing and we will be making further enquiries regarding the latest developments."

A Blackbaud spokesperson said:

"We have informed the small subset of Blackbaud customers who were part of this development.

"We apologise that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cyber-crime incident."

Any organisation affected by the latest development will be legally obliged to inform any of their customers, donors or other affected parties of the risk of their data being exposed.

While having any personal data stolen can lead to an increased risk of cybercrime, having payment details exposed can lead to a much greater risk of serious financial crime. This makes the new revelation about the extent of the Blackbaud hack particularly concerning for those affected.

Wondering if you may be entitled to compensation for the Blackbaud data breach? Please get in touch.

What happened in the Blackbaud data breach?

Blackbaud’s systems were broken into by hackers in May 2020. While the hack was detected and the hackers eventually locked out, they were first able to copy personal data people had shared for various purposes with organisations that used Blackbaud’s software.

The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid. The company says it then received confirmation from the ransomers that the data had been destroyed.

According to ICO, 166 UK organisations that had been affected by the Blackbaud security breach. Many international organisations that used Blackbaud’s software have also been affected.

What data was accessed in the Blackbaud hack?

As well as the bank account information and passwords now feared to be in the hands of the Blackbaud hackers, other types of information potentially stolen includes people’s:

  • Names
  • Genders
  • Dates of birth
  • Email addresses
  • Phone number
  • Other personal records such as profession, employer and educational achievements

Which organisations are affected by the Blackbaud hack?

As well as numerous schools, colleges and universities, organisations affected by the Blackbaud data breach include charities, human rights campaigns, public radio stations and religious groups.

Some of the most high-profile victims include:

  • Brasenose College, University of Oxford
  • Hughes Hall College and Selwyn College, University of Cambridge
  • University of Birmingham
  • University of Bristol
  • University of Manchester
  • The National Trust
  • Sue Ryder
  • Various international organisations, including:
    • Boy Scouts of America
    • Cancer Research Institute, New York
    • National University of Ireland, Galway

What to do if you are worried about the Blackbaud data breach

If your data has potentially been exposed in the Blackbaud hack, the organisation that held your data should have been in touch already to let you know of the risk. If you are affected by the new revelations, you should be contacted again soon.

If you have not been contacted but believe you may be at risk because an organisation you shared your data with has been affected, you should contact them directly to find out if your data has been exposed.

If you have been notified that your personal data may have been included in the Blackbaud hack, you should also be extremely wary of any emails, phone calls or other communications you receive, especially from people claiming to represent any of the affected organisations. These could be ‘phishing’ attacks aimed at extracting more personal information from you or scams intended to get you to transfer money to the scammers.

Do not share any personal information with, or make any payment to, anyone who contacts you unless you are absolutely sure that they are legitimate and there is a valid reason to do so.

There are also various steps you can take to minimise the risk of your data being used by cybercriminals. Take a look at our guide to what to do if your data has been stolen in a data breach to find out more.

It is also worth considering whether you may be entitled to compensation as a result of the breach. This is something the team at Hayes Connor will be happy to discuss with you.

Are you owed compensation for the Blackbaud data breach?

Any organisation that you share your personal data with has a legal duty to protect that data. This includes having in place robust cyber security measures to prevent cyber attacks.

If the Information Commissioner's Office investigation finds that Blackbaud’s security measures were insufficient, it may rule that the company breached its data protection duties. Should that be the case, those affected by the hack will have strong grounds for pursuing compensation from Blackbaud.

Compensation may be available even where there is no proof of harm caused. However, where it can be shown that the victim has suffered emotional distress of financial losses due to the hack, more substantial damages may be available.

How Hayes Connor can help you claim Blackbaud data breach compensation

Hayes Connor has one of the largest teams of data breach claims specialists in the country, with decades of combined experience. If you are a victim of the Blackbaud data breach we can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.

To speak to a member of our team, please do not hesitate to give us a call on 0151 363 5895.

Find out how our experts can help you with your claim

Make a claim