The National Trust has confirmed that it is dealing with a data breach linked to the cloud services provider Blackbaud.
The charity, which looks after historical attractions and places of natural beauty in Britain, told the BBC that data around its fundraising and volunteering communities had been compromised in the attack, but it did not impact data of its wider 5.6 million members.
An internal investigation is currently under way to find out if further action is needed to secure users' data.
"We are currently in the process of identifying and informing those affected," Jon Townsend, the trust's chief information officer, told the news agency.
"We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission," he added.
The Information Commissioner's Office (ICO) told the BBC that 125 British organisations, including dozens of educational institutions, had contacted it in relation to data breach. Mental health group Young Minds, the terminal illness charity Sue Ryder, and charities The Wallich and Crisis are among the organisations affected in the cyber incident.
"BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries," a spokeswoman for the ICO said.
The cyber incident, which occurred in May, was publically revealed last week after Blackbaud stated on its website that it had paid ransom to hackers after being promised that all stolen data would be destroyed by them.
"Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed," the company said.
While it claimed that no payment card or bank account details were compromised in the incident, the BBC said that in some cases, the compromised data involved donors details including:
- name, age and address
- identified assets and estimated wealth
- value of past donations to the organisation
- history of political and philanthropic gifts
- spouse's identity and gift-giving history
In a statement, the University of York said that university officials were "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security."
The University of Newcastle is another educational institution to confirm the data breach.
"We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world's largest providers of alumni database software," a spokeswoman said.
"We apologise for any concern or inconvenience caused... and we have initiated a security review."
According to the BBC, the following UK educational institutions are confirmed to have suffered the data breach:
- ACS International Schools
- Aberystwyth University
- Brunel University, London
- Brasenose College, University of Oxford
- De Montfort University
- Hughes Hall College, University of Cambridge
- Heriot-Watt University, Edinburgh
- King's College, London
- Loughborough University
- Oxford Brookes University
- Robert Gordon University
- St Albans School, Hertfordshire
- Selwyn College, University of Cambridge
- Staffordshire University
- Sheffield Hallam University
- University College, Oxford
- University of Birmingham
- University of Aberdeen
- University of Bristol
- University of Exeter
- University of Durham
- University of Kent
- University of Glasgow
- University of Liverpool
- University of Leeds
- University of London
- University of Newcastle
- University of Manchester
- University of Northampton
- University of Reading
- University of Sussex
- University of South Wales
- University of Strathclyde
- University of York
Other UK non-profits organisations:
- Young Minds
- The National Trust
- Action on Addiction
- Breast Cancer Now
- Maccabi GB
- Choir with No Name
- Sue Ryder
- The Wallich
- The Urology Foundation
Data published online after service provider refused to pay ransom
A patch addressing the bug was released last month
Cloud services provider Blackbaud paid a ransom after being promised stolen data would be destroyed
A new variant of MgBot malware was used in latest attacks
US indicts two Chinese hackers for seeking to steal intellectual property and coronavirus vaccine research
The hackers are currently based in China, beyond the reach of US law enforcement agencies