Bletchley Park's software supplier's computer system is hacked in data breach ransomware attack

Software containing personal details of Bletchley Park members and donors was attacked by hacker demanding a ransom.

Wednesday, 12th August 2020, 1:30 pm
Updated Wednesday, 12th August 2020, 2:58 pm

And, it has been revealed, the ransom demand has been paid to persuade the cyber criminals not to misuse the data.

This week Bletchley Park officials have written to everybody on their mailing list to inform them about what happened.

A statement released by the Park said: "We were recently notified by Blackbaud, one of our software suppliers, that they have suffered a data breach due to a ransomware attack on their own system... Unfortunately, a significant number of universities and charities have been affected by this issue and this list includes Bletchley Park Trust.

Bletchley Park

"This breach involved records containing personal information, which may include one or more data fields such as names, titles, dates of birth, email addresses, donation history, mailing or enewsletter list preference, event attendance or membership, depending on data subjects’ engagement with the Bletchley Park Trust."

No financial or bank card details were held on the system, the statement said.

It added: "The Blackbaud Cyber Security team, along with independent forensics experts and law enforcement agencies, successfully stopped the attack and secured the destruction of any data held by the cybercriminal.

"Blackbaud has informed us that it has no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom."

The Park has assured people their the data is now secure.

At least 10 universities in the UK, America and Canada have had data stolen about students after hackers attacked US-based Blackbaud, who are one of the world's largest providers of education administration, fundraising, and financial management software

Human Rights Watch and the children's mental health charity, Young Minds, also confirmed they were affected.

Blackbaud's systems were hacked in May and the company has been criticised for not disclosing this publicly until July and for paying the hackers a ransom. The sum they paid has not been disclosed.

The Bletchley Park statement said: "Blackbaud has informed us that it has no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom. Accordingly, they advise that they do not believe that it will be misused or will be disseminated or otherwise made available publicly."

It added: "Blackbaud have reported this breach to the Information Commissioner’s Office (ICO), and we also submitted our own report to the ICO and are working with them to ascertain any follow up actions required.

"We have initiated a review of how and where we store our data and our future relationship with Blackbaud."

One member whose data was on the Park's computer is not happy though.

He said: "I believe it's poor form that they are trying to imply that paying the ransom to criminals was somehow a successful containing of the incident by their IT supplier Blackbaud.

"In my view, this is a textbook case of how not to deal with a ransomware attack and until we condemn such responses we’re going to see a lot more of these attacks."