Blackbaud hack: National Trust confirms data breach

125 organisations in the UK have contacted the ICO in relation to data breach

The National Trust has confirmed that it is dealing with a data breach linked to the cloud services provider Blackbaud.

The charity, which looks after historical attractions and places of natural beauty in Britain, told the BBC that data around its fundraising and volunteering communities had been compromised in the attack, but it did not impact data of its wider 5.6 million members.

An internal investigation is currently under way to find out if further action is needed to secure users' data.

"We are currently in the process of identifying and informing those affected," Jon Townsend, the trust's chief information officer, told the news agency.

"We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission," he added.

The Information Commissioner's Office (ICO) told the BBC that 125 British organisations, including dozens of educational institutions, had contacted it in relation to data breach. Mental health group Young Minds, the terminal illness charity Sue Ryder, and charities The Wallich and Crisis are among the organisations affected in the cyber incident.

"BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries," a spokeswoman for the ICO said.

The cyber incident, which occurred in May, was publically revealed last week after Blackbaud stated on its website that it had paid ransom to hackers after being promised that all stolen data would be destroyed by them.

"Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed," the company said.

While it claimed that no payment card or bank account details were compromised in the incident, the BBC said that in some cases, the compromised data involved donors details including:

name, age and address
identified assets and estimated wealth
value of past donations to the organisation
history of political and philanthropic gifts
spouse's identity and gift-giving history

In a statement, the University of York said that university officials were "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security."

The University of Newcastle is another educational institution to confirm the data breach.

"We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," a spokeswoman said.

"We apologise for any concern or inconvenience caused... and we have initiated a security review."

According to the BBC, the following UK educational institutions are confirmed to have suffered the data breach:

ACS International Schools
Aberystwyth University
Brunel University, London
Brasenose College, University of Oxford
De Montfort University
Hughes Hall College, University of Cambridge
Heriot-Watt University, Edinburgh
King's College, London
Loughborough University
Oxford Brookes University
Robert Gordon University
St Albans School, Hertfordshire
Selwyn College, University of Cambridge
Staffordshire University
Sheffield Hallam University
University College, Oxford
University of Birmingham
University of Aberdeen
University of Bristol
University of Exeter
University of Durham
University of Kent
University of Glasgow
University of Liverpool
University of Leeds
University of London
University of Newcastle
University of Manchester
University of Northampton
University of Reading
University of Sussex
University of South Wales
University of Strathclyde
University of York

Other UK non-profits organisations:

Young Minds
The National Trust
Action on Addiction
Breast Cancer Now
Maccabi GB
Choir with No Name
Crisis
Sue Ryder
The Wallich
The Urology Foundation