The non-governmental organization Human Rights Watch and the children's mental health charity, Young Minds, also confirmed that they were affected by attack.
The hack targeted Blackbaud, one of the largest providers of training, fundraising and financial management software.
The hack in systems of Blackbaud took place in May.
The provider has been heavily criticized for not immediately disclosing the incident. The revelation in the affected parts took place in July. The company said that paid ransom, but did not mention the exact amount of money.
In some cases, the violated data was limited to those of alumni who were asked to financially support the institutions from which they had graduated. But in other cases, they were exposed data of staff, current students and other collaborators.
The universities and the institutions affected by the Blackbaud hack are:
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
- Human Rights Watch
- Young Minds
- Rhode Island School of Design in the US
- University of Exeter
All institutions send letters and emails to apologize to users whose data was in the compromised databases.
In some cases, the stolen data included telephone numbers, donation history, and events attended by victims. Data credit cards and other payment details do not appear to have been exposed.
Blackbaud, headquartered in South Carolina, declined to provide full lists of those affected, saying it wanted to "respect the privacy of its customers".
"The majority of our customers were not affected by this incident," she said company.
Blackbaud said: "In May 2020, we discovered and stopped an attack ransomware. The criminal managed to remove a copy of a subset of our data ".
The statement goes on to say that Blackbaud paid the ransom. This is not illegal, but it comes in contrary to the advice of experts security and law enforcement services, including FBI, NCA and Europol.
Blackbaud added that the hackers assured them that they had destroyed the data after payment.
Several Blackbaud clients (including some universities) confirmed that they were not affected by the hack:
- University College London
- Queen's University Belfast
- University of the West of Scotland
- Islamic Relief
- Prevent Breast Cancer
Rhys Morgan, a cybersecurity expert and former Oxford Brookes University student (his data is still in the university databases), doubts the security of his data.
"They told my university that there was no reason to believe that they were stolen data have been used or will be used for a bad purpose ”.
"It does not reassure me at all. How can they know what the attackers will do with this information?
According to the General Data Protection Regulation (GDPR), companies must report data breaches to the authorities within 72 hours from the discovery of events, otherwise they will receive fine.
Apparently, the UK [ICO] and Canadian authorities were notified of the breach last weekend, several weeks after Blackbaud discovered the hack.