Blackbaud, the world’s largest supplier of Customer Relation Management systems (CRM) for education institutions, has informed Utrecht University about a data security breach. This breach has affected a large number of educational institutions worldwide.
Utrecht University uses Blackbaud to register information about their students, alumni, donors and relations. After Utrecht University received the information from Blackbaud, the university started to do their own research in order to better understand the extent of the security breach.
The cyber attack on Blackbaud happened between the 7th of February and 20th of May according to Blackbaud. Unauthorized persons were able to get access to an outdated database of Utrecht University. After discovering what happened they informed Utrecht University on the 16th of July.
The hackers have not given away the data but have destroyed it. In recent weeks, Utrecht University has kept close contact with Blackbaud’s management to get a better understanding which data was involved.
Ransomware attack gave hackers access to old back up from 2017
In the case of Utrecht University the data that the hackers gained was an old back up from 2017. The Blackbaud server archived that in the past; the data included information about alumni, donors and business contacts. The hackers could not gain access to bank card details and passwords because they were encrypted.
Educational Institutions and foundations worldwide affected by the cyber attack
The Utrecht University were not the only ones affected by the data breach. It is known that a number of well known educational institutions have encountered that same issues; specifically ones that made use of Blackbaud’s CRM systems.
The following steps will be taken by the Utrecht University from 16th July onward:
Keep closer contact with Blackbaud’s management.
Evaluation of the university’s cooperation with Blackbaud and any follow-up steps that should be taken.
Specifically, Utrecht University wants to know:
Why does UU have an outdated backup on Blackbaud’s server?
What was the cause of the delay between the cyber attack and Blackbaud’s notification to the UU?
What can be done to improve the security systems?
Is re-organization of the internal CRM database at the university necessary to prevent another breach?
Blackbaud will send the necessary information to the UU so that they can notify those who have been affected by the breach. Those who graduated after April 2017 have not been affected. There is no need for any action to be taken by anyone else at the UU. The UU has asked to always be alert of any suspicious messages or transactions and to only open answer emails from reliable sources. Kindly report any suspicious situations to the Computer Emergency Response Team of the Utrecht University via cert@uu.nl.
Source: Utrecht University
Published on Utrecht Central
Comments