At least 10 universities in the UK, US and Canada have had data stolen about students and/or alumni after hackers attacked a cloud computing provider.
Human Rights Watch and the children’s mental health charity, Young Minds, have also confirmed they were affected.
The hack targeted Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software.
The US-based company’s systems were hacked in May.
It has been criticised for not disclosing this externally until July and for having paid the hackers an undisclosed ransom.
In some cases, the data was limited to that of former students, who had been asked to financially support the establishments they had graduated from. But in others it extended to staff, existing students and other supporters.
The institutions the BBC has confirmed have been affected are:
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Ambrose University in Alberta, Canada
- Human Rights Watch
- Young Minds
- Rhode Island School of Design in the US
- University of Exeter
All the institutions are sending letters and emails apologising to those on the compromised databases.
In some cases, the stolen data included phone numbers, donation history and events attended. Credit card and other payment details do not appear to have been exposed.
Blackbaud, whose headquarters are based in South Carolina, declined to provide a complete lists of those impacted, saying it wanted to “respect the privacy of our customers”.
“The majority of our customers were not part of this incident,” the company claimed. It referred the BBC to a statement on its website: “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”