Cyber Incident Victim: King's College London

In 2020, a ransomware attack targeted Blackbaud, a cloud computing provider serving educational institutions, corporations, and foundations. The breach compromised confidential data belonging to students, staff, and partners at multiple UK universities, including Kings College London, the University of Surrey, the University of York, South Wales University, Cumbria University, Leeds University, Birmingham University, Newcastle University, and Reading University. Stolen information included names, dates of birth, addresses, phone numbers, and email addresses. Blackbaud notified affected universities of the incident earlier in the summer of 2020, prompting institutions like the University of Surrey to launch internal investigations. The universities determined that compromised data belonged to individuals associated with their organizations, though they advised affected parties that no specific remedial actions beyond standard online security precautions were necessary.

The incident triggered legal action coordinated by law firm Simpson Millar, which initiated investigations and proceedings after hundreds of individuals from nine universities expressed concerns. Robert Godfrey, Head of Professional Negligence at Simpson Millar, characterized the breach as a violation of GDPR and data protection rules, asserting that affected individuals had valid claims for damages due to distress, anxiety about future targeting, and disruption to their lives. The University of Surrey confirmed its data held by Blackbaud was compromised but emphasized it had notified potentially affected individuals promptly. No direct comments were provided by Blackbaud regarding the incident. Affected parties were directed to contact Simpson Millar for legal advice, with the firm anticipating significant psychological and logistical impacts requiring familial and social support networks.