Cyber Incident Victim: University of South Wales

In 2020, a ransomware attack targeted Blackbaud, a cloud computing provider serving educational institutions, compromising personal data of students, staff, and partners from multiple UK universities including the University of South Wales. The breach exposed confidential information such as names, dates of birth, addresses, phone numbers, and email addresses. Blackbaud notified affected universities earlier in the summer of 2020, prompting investigations. The University of Surrey, among others, confirmed its data held by Blackbaud was compromised and stated it immediately launched a detailed inquiry upon notification. The university advised affected individuals to maintain normal day-to-day online security precautions, asserting no further specific actions were necessary. Other impacted institutions included the University of York, Cumbria University, Leeds University, Birmingham University, Newcastle University, Reading University, Surrey University, and Kings College London.

Law firm Simpson Millar initiated legal proceedings against the universities on behalf of hundreds of affected individuals, alleging failure to adequately protect personal data under GDPR and data protection rules. Robert Godfrey, Head of Professional Negligence at the firm, characterized the breach as a "clear violation" causing distress, anxiety about future targeting, and potential entitlement to compensation for emotional injury and life disruption. The firm reported inquiries from individuals across nine universities, indicating widespread impact. A University of Surrey spokesperson reiterated that Blackbaud’s systems were compromised but did not disclose specific mitigation measures beyond notifying potentially affected parties. Blackbaud declined to comment, while Simpson Millar provided a contact number for those seeking legal advice regarding the breach.