Technology

National Trust joins victims of Blackbaud hack

National Trust property Image copyright Reuters
Image caption The National Trust is a charity that looks after places of historic interest and natural beauty

The UK's National Trust is among a growing list of organisations to issue data breach alerts after an attack on cloud computing provider Blackbaud.

Others include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds.

The UK's Information Commissioner's Office (ICO) told the BBC that 125 organisations had reported to it in relation to the incident "so far".

They include dozens of universities.

And internationally, museums, schools, churches and food banks have also been affected.

"BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries," a spokeswoman for the ICO said.

"Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted."

The BBC has also been told that as of 29 July, 33 charities had also reported related incidents to the UK's Charities Commission.

Internal investigation

The National Trust said that data about its volunteering and fundraising communities had been involved, but not that of its wider 5.6 million members.

The organisation - which looks after historic buildings and gardens - added that an internal investigation was under way to assess if further action was needed.

"We are currently in the process of identifying and informing those affected," Jon Townsend, the trust's chief information officer, explained.

"We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission." 

The University of Newcastle was another body to make a public disclosure after being contacted by the BBC.

"We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," said a spokeswoman.

"We apologise for any concern or inconvenience caused... and we have initiated a security review."

Other universities have said that data on current staff and students was involved, in addition to that of past graduates.

Ransomware payment

Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom. However, the US firm only advised its clients of the breach this month, which is why notices are only now being sent to members of the public.

Some of them specifically make mention of two of Blackbaud's platforms - Raiser's Edge and NetCommunity - which are commonly used to keep track of donors and the sums they have given.

Image copyright Blackbaud
Image caption Blackbaud markets its software as a way to find "untapped potential in your existing donor database"

Blackbaud has said the data did not include bank account or payment card details.

But a source has told the BBC that in some cases it involved donors details including:

  • names, ages and addresses
  • car licence details
  • employers
  • estimated wealth and identified assets
  • total number and value of past donations to the organisation in question
  • wider history of philanthropic and political gifts
  • spouses' identity and past gift-giving
  • likelihood to make a bequest triggered by their death

Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted.

"The hackers would know these people have a propensity to support good causes," commented Pat Walshe from the consultancy Privacy Matters.

This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.

Mr Walshe also questioned if there had been a breach of the GDPR privacy law, which requires major personal data breaches to be flagged to regulators within 72 hours of discovery.

Blackbaud has said that at "every point we were working closely with law enforcement and other specialists".

"We take our regulatory responsibilities seriously and comply with GDPR at all times, including in this instance," the company told the BBC.

However, neither it nor the ICO has yet revealed when the UK watchdog was notified.

Jewish schools

Blackbaud has declined to name or number the organisations impacted, beyond saying it is a "subset" of its thousands of clients.

However, the BBC has identified some of these by contacting them directly and tracking down online notices of the security breaches.

The problem is so widespread across the higher education sector that some universities - including the University of Edinburgh and Aston University, Birmingham - have posted notices to say their data was not involved.

Some schools have also been affected, including St Albans in Hertfordshire, Radley College in Abingdon, and St Aloysius in Glasgow.

ACS International, which teaches children in London, Surrey and Qatar, has also said there is a "low threat" risk to its "alumni's and friends' information".

In addition, Maccabi GB - an organisation that provides services to 44 Jewish primary and secondary schools - has told supporters their data was among that compromised.

Beyond the UK, Hungary's Central European University is among those to have confirmed involvement.

New Zealand's University of Auckland and the National University of Ireland Galaway have also contacted alumni and donors.

But the other international organisations confirmed by the BBC have all been US and Canada-based.

They include several cancer charities, human rights campaigns, public radio stations and religious groups, in addition to schools, colleges and universities.

Who has confirmed being breached?

UK educational institutions:

  • Aberystwyth University
  • ACS International Schools
  • Brasenose College, University of Oxford
  • Brunel University, London
  • De Montfort University
  • Heriot-Watt University, Edinburgh
  • Hughes Hall College, University of Cambridge
  • King's College, London
  • Loughborough University
  • Oxford Brookes University
  • Radley College, Abingdon
  • Robert Gordon University
  • Selwyn College, University of Cambridge
  • St Albans School, Hertfordshire
  • St Aloysius School, Glasgow
  • Sheffield Hallam University
  • Staffordshire University
  • University College, Oxford
  • University of Aberdeen
  • University of Birmingham
  • University of Bristol
  • University of Durham
  • University of East Anglia
  • University of Exeter
  • University of Glasgow
Image copyright PA Media
Image caption The University of Glasgow has posted an online notice to its alumni and other donors about the incident
  • University of Hull
  • University of Kent
  • University of Leeds
  • University of Liverpool
  • University of London
  • University of Manchester
  • University of Newcastle
  • University of Northampton
  • University of Reading incl Henley Business School
  • University of Strathclyde
  • University of South Wales
  • University of Sunderland
  • University of Sussex
  • University of West London
  • University of York

Other UK non-profits:

  • Action on Addiction
  • Breast Cancer Now
  • Choir with No Name
  • Crisis
  • Maccabi GB
  • Myeloma UK
  • Sue Ryder
  • The National Trust
  • The Urology Foundation
  • The Wallich
  • Young Minds

International organisations:

  • Alpha USA charity
  • Ambrose University, Alberta
  • American Civil Liberties Union (ACLU), New York
  • Bentley University, Massachusetts
  • Boy Scouts of America
  • Boys & Girls Clubs of Delaware
  • Cancer Research Institute, New York
  • Catholic Charities of St Paul's and Minneapolis
  • Central European University, Budapest
  • Cheverus High School, Portland
  • Coastal Maine Botanical Gardens
Image copyright Getty Images
Image caption Coastal Maine Botanical Gardens has told visitors their email addresses, phone numbers and donation histories may have been compromised
  • Darlington School, Georgia
  • Des Moines University
  • Diocese of Gaylord, Michigan
  • Emerson College, Boston
  • FareStart, Seattle
  • First Place For Youth, California
  • Foodbank of Central and Eastern North Carolina
  • Hennepin Healthcare Foundation, Minnesota
  • Human Rights First, New York
  • Human Rights Watch, New York
  • Institute for Human Services, Charleston
  • Kent Denver School, Colorado
  • Kids Quest Children's Museum, Bellevue
  • Louisiana Tech University Foundation
  • Mennonite Economic Development Associates (Mena), Waterloo
  • Middlebury College, Vermont
  • New College of Florida
  • New Hampshire Public Radio
  • National University of Ireland, Galway
  • Northwest Immigrant Rights Project
  • Open Space Institute, New York
  • Rhode Island School of Design
  • St Ignatius Loyola Parish, New York
  • St Mary's College of Maryland Foundation
  • San Diego Public Library Foundation
  • Save the Children, Connecticut
  • Solid Ground, Seattle
  • Springfield Museums, Massachusetts
  • Texas Tech Foundation
  • The Bishop Strachan School, Toronto
  • University of Auckland, New Zealand
  • University of Dayton
  • University of North Florida
  • University of Western Ontario
  • Urban School, San Francisco
  • Ventura College Foundation, California
  • Vermont Foodbank
  • Vermont Public Radio
  • West Virginia University

Do you know of further related breaches or have you been personally affected by the issues raised in this story? Share your experiences by emailing haveyoursay@bbc.co.uk.

Please include a contact number if you are willing to speak to a BBC journalist.

Or use the form below:

Your contact details

If you are happy to be contacted by a BBC journalist please leave a telephone number that we can contact you on. In some cases a selection of your comments will be published, displaying your name as you provide it and location, unless you state otherwise. Your contact details will never be published. When sending us pictures, video or eyewitness accounts at no time should you endanger yourself or others, take any unnecessary risks or infringe any laws. Please ensure you have read the terms and conditions.

Terms and conditions

The BBC's Privacy Policy

More on this story