Cyber Incident Victim: De Montfort University
Date:
May 2020
Location:
United Kingdom
Summary
A ransomware attack targeting software provider Blackbaud compromised data from multiple universities and charities, including De Montfort University, after hackers stole a subset of information from the company's systems. The breach exposed personal details such as phone numbers, donation histories, and event attendance records of alumni, staff, and supporters, though financial data remained unaffected. Blackbaud paid the ransom and received assurances the stolen data was destroyed, but faced criticism for delaying victim notifications by weeks—potentially violating breach disclosure regulations. The incident underscored supply chain vulnerabilities, as third-party software vulnerabilities enabled unauthorized access to institutional supporter databases globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The May 2020 ransomware attack targeting Blackbaud, a major U.S.-based provider of education administration and fundraising software, compromised data from De Montfort University and over 20 other UK, U.S., and Canadian educational institutions and charities. Hackers breached Blackbaud’s self-hosted environment, exfiltrating a subset of data before being locked out. The attackers subsequently issued a ransom demand, which Blackbaud paid in exchange for assurances that the stolen data copy had been destroyed. The company discovered and halted the attack in May but delayed notifying affected clients for several weeks, violating GDPR’s 72-hour breach notification requirement. UK and Canadian data authorities were only informed in late July 2020.
Compromised data from De Montfort University and other institutions included names, phone numbers, donation histories, and event attendance records of alumni, staff, current students, and supporters. Financial details such as credit card information were not exposed. Blackbaud’s NetCommunity platform—a dedicated alumni engagement system—was confirmed as one affected product. All impacted organizations, including De Montfort University, issued formal apologies via letters and emails to affected individuals. The UK National Cyber Security Centre provided incident response support but criticized Blackbaud’s ransom payment, emphasizing that such actions incentivize future attacks and undermine collaborative security efforts. The breach highlighted systemic supply chain vulnerabilities, as a single vendor compromise cascaded across dozens of dependent institutions globally.