back to article Brit unis hit in Blackbaud hack inform students that their data was nicked, which has gone as well as you might expect

British universities are waking up to last week's ransomware attack on cloud CRM purveyor Blackbaud – though it appears some haven't realised the American software company paid the ransom. As hack notifications started filtering through the world of student and alumni relations management software, news reports emerged this …

  1. DavCrav Silver badge

    "Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."

    Yeah, I'm sure they did.

    1. LucreLout Silver badge

      At this point they know they are definitely dealing with a criminal who sees intrusion, theft, and blackmail as being legitimate means to acquire wealth. It rather begs the question of why lying about destruction an reselling the data would be seen as verbotten, doesn't it?

    2. Steve Foster
      Facepalm

      Ah, you've seen https://www.theregister.com/2020/07/23/carding_forum_scams/, I presume.

      1. Emir Al Weeq

        Steve Foster, I came here to make exactly that same point.

    3. Robert Carnegie Silver badge

      A pile of university student coursework? Who would want it?

      1. theModge

        There's a surprising amount of money in essay writing; people who will pay £100s for an essay because they can't do it themselves could easily pay money for well graded course work to copy. Turnitin might well catch them, but that's very much not the seller's problem.

        That's not what this is though; it's alumni data; just boring CRM stuff that can be used for fraud etc.

        1. gerdesj Silver badge
          Paris Hilton

          When I were a lad at Plymouth Poly, I used to leave my maths responses in a pigeon hole, ready for collection by the tutor for marking. Thing is, I was always quite early. Every fortnight a carton of 200 fags would magically appear in my digs.

          I studied Civil Engineering and there is a small but fair chance that if you are a Brit, you have driven or walked over a bridge designed by an engineer who had a few snags with fourth order differential equations back in college.

  2. Woodnag

    Of course, the storage was actually illegal

    EU data cannot be stored in US servers. It's called GDPR.

    https://noyb.eu/en/next-steps-users-faqs

    1. spacecadet66

      Re: Of course, the storage was actually illegal

      Nowhere in the story does it say that the data was stored in US servers. The hacked servers are described as "self-hosted," so if the servers were administered by the universities, the onus of GPDR compliance was on them.

      Which doesn't make any of this look any better for Blackbaud, of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course, the storage was actually illegal

        No, the article said on Blackbauds self-hosted servers.

        But still, they do have servers in Europe, https://kb.blackbaud.com/articles/Article/50641

        (I didn't downvote you)

    2. czechitout

      Re: Of course, the storage was actually illegal

      Data can be stored outside the EU, as long as it is held in accordance to GDPR.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course, the storage was actually illegal

        That broadly rules out the US, though, given the recent court case finding Privacy Shield to be inadequate (and Standard Contractual Clauses to be insufficient where the US government can legally compel the company to produce the data)

  3. nematoad Silver badge
    FAIL

    I see.

    "...to share insights into the future of giving + philanthropy."

    They certainly seem to have lived up to their aspirations on that score. What a pity that the recipients of their generosity happen to be a gang of criminals.

  4. Willy Ekerslike

    Just received the email

    Just received the email from one of my alma maters. Assurance that no payment information was taken but warning to be aware of phishing as personal details taken. Not sure if I'll be able to spot any fallout of this from all the other phishing emails that turn up... Basically, we're all vulnerable and sufficient information about most of us is out there if anyone wants it; a database like this probably gets a premium so I, too, doubt it hasn't been deleted (after all, what do the crime have to lose)...

    1. Red Sceptic

      Re: Just received the email

      Likewise, received email from a university where I have attended events in the past (public lectures) - not as an alumnus.

      What was my data as an EU citizen (then - pre-Jan 2020) doing on servers in the US? Isn’t this proscribed under GDPR?

      1. aje21

        Re: Just received the email

        Also been notified (am an alumni in my case).

      2. Anonymous Coward
        Anonymous Coward

        Re: Just received the email

        They have EU servers. I'd assume they were hosted there.

        https://kb.blackbaud.com/articles/Article/50641

      3. katrinab Silver badge

        Re: Just received the email

        You still have all the benefits of an EU citizen except that you no longer have an MEP representing you in parliament.

  5. Anonymous Coward
    Anonymous Coward

    Thankyou

    My third has now been upgraded to a first.

  6. MachDiamond Silver badge

    Leave the boxes blank

    Every time I see these stories I feel good that I stopped filling in forms and donating my personal information all over the place years ago. Cynicism should be taught in school. Lying should be taught in the years leading up to college. When I was young, I was guilty of being diligent in completely filling in a form that was handed to me on a clipboard without ever questioning why the company/school/doctor/dentist/etc needed all of that information. I've long since stopped doing that and will lie if necessary. Of course, you can't do that with the government, but as they have your info anyway, why can't they fill out the form for you and save some time? The cops have well honed BS detectors too so it's better to say nothing than to lie. Everybody else can be lied to with impunity in most cases so have at it if they're being snoopy.

  7. Terry 6 Silver badge

    At least criminals are well known to be honest and truthful, and there's no way they would have had other copies of the date they destroyed. So that's all right, isn't it?

  8. SloppyJesse

    Game over: Deposit coin to continue

    Blackbaud didn't pay so the hackers deleted the copy, they paid to get their own data accessible again.

    Any attempt to spin it another way is just that, spin.

  9. jezza99

    Don't do business with them

    Personally I would never voluntarily do business with a business which pays ransoms.

    I hope that these universities are chasing alternative suppliers right now.

    1. stevebp

      Re: Don't do business with them

      You've obviously never worked in a University...

    2. Terry 6 Silver badge

      Re: Don't do business with them

      The fact that they fucked up in the first place ought to be enough for that. But the likes of Capita etc seem to suggest that incompetence and failure don't preclude continuing to gain business these days.

      1. sitta_europea

        Re: Don't do business with them

        "The fact that they fucked up in the first place ought to be enough for that. But the likes of Capita etc seem to suggest that incompetence and failure don't preclude continuing to gain business these days."

        I wish I could give you more than one upvote for that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020