Blackbaud university ransomware – the danger of supply chain attacks

The breach of more than 20 universities demonstrates the “multiplier effect" of supply chain attacks.
24 July 2020

More than 20 organizations were breached, including the University of Oxford. Source: Shutterstock

A stark reminder of the risks of supply chain attacks has been dealt this week, with more than 20 universities and charities across the UK, US and Canada reporting themselves victim to a cyber-attack via compromised cloud provider Blackbaud. 

Blackbaud – which provides cloud services to the education sector as well as fundraising and financial management software – was reportedly held to ransom earlier this year, and paid the undisclosed ransom to the attackers. 

According to a statement by Blackbaud, “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”

However, the breached company waited weeks to warn its clients that data had been stolen, which, in some cases, included the personal details of existing staff, students and other parties. Under GDPR (General Data Protection Regulation), businesses are required to report a data breach within 72 hours to regulators. 

Some of the stolen data included phone numbers, donation history and events attended. However, credit card and other payment details were not thought to have been breached. 

A confirmed list of affected universities and colleges was published by the BBC;

  • De Montfort University
  • University of Strathclyde
  • University of Exeter
  • University of York
  • Oxford Brookes University
  • Loughborough University
  • University of Leeds
  • University of London
  • University of Reading
  • University College, Oxford
  • Middlebury College, Vermont
  • West Virginia University
  • New College of Florida
  • Cheverus High School: Catholic High School Portland
  • The Bishop Strachan School, Canada
  • University of North Florida
  • Ambrose University, Alberta, Canada
  • Rhode Island School of Design, US

As well as other organizations, which included charities;

  • Choir with No Name
  • Vermont Foodbank
  • Vermont Public Radio
  • Northwest Immigrant Rights Project
  • Human Rights Watch
  • Young Minds

Chris Ross, SVP, Barracuda Networks commented that university servers are increasingly attractive targets for cybercriminals, storing a wealth of valuable data including sensitive student and staff information, such as addresses, passwords, payment details, and confidential research. 

In the current climate with more students relying on virtual learning, the risks are heightened, and entry points for attackers multiplied. 

“With more students than ever relying on cloud infrastructure to manage the transition to digital classes and online exams, the threat facing them has never been higher. In fact, our recent research found that 46% had experienced at least one security incident since the lockdown, with more than half (51%) recording an increase in the number of email phishing attacks,” said Ross. 

“This is not the first, nor will it be the last major cyber attack to affect universities […] and it’s important that these institutions understand the threat facing them, and effectively administer security training and software across the board to tackle it.” he added. 

Speaking to TechHQ this week, renowned ransomware expert Fabian Wosar warned of the dangers of paying ransoms to attackers, particularly in light of the growing trends of exfiltration+encryption attacks, which combine the disruption of a ransomware attack with long-term consequences of the data breach, leaving doors open for further attacks in future on the same or other organizations involved. 

While it’s not illegal to pay hackers, it’s strictly advised against by law enforcement such as the FBI and Europol. Not only is there no guarantee that hackers will unlock data, or destroy their copies, it encourages future attacks and potentially funds further criminal activity. 

Nominet’s chief information security officer, Cath Goulding, said that the attack demonstrates the “multiplier effect of supply chain attacks and reinforces the advice that security needs to be a collaborative exercise.”