Cyber Incident Victim: Newcastle University

In 2020, Newcastle University was among at least nine UK institutions affected by a ransomware attack targeting Blackbaud, a cloud computing provider serving educational and other organizations. The breach compromised confidential personal data belonging to students, staff, and university partners, including names, dates of birth, addresses, phone numbers, and email addresses. The attack occurred earlier in the year, with Blackbaud notifying affected universities during the summer of 2020. Newcastle University, alongside the University of Surrey, York, South Wales, Cumbria, Leeds, Birmingham, Reading, and King’s College London, confirmed their data held by Blackbaud had been accessed. The universities initiated investigations upon notification, determining that stolen information could have been leaked online. No technical specifics regarding the attackers’ methods or the exact timeline of intrusion were disclosed by the universities or Blackbaud.

Following the breach, law firm Simpson Millar launched investigations and legal proceedings after hundreds of affected individuals expressed concerns. Robert Godfrey, Head of Professional Negligence at the firm, characterized the incident as a clear violation of GDPR and data protection rules, asserting that universities bore ultimate responsibility for safeguarding personal data. Affected parties were advised they could pursue compensation claims for distress, anxiety about future targeting, and life disruption caused by the breach. The University of Surrey’s spokesperson—representative of the collective institutional response—stated affected individuals were promptly notified but required no specific remedial actions beyond routine online security precautions. Blackbaud declined to comment, while Simpson Millar publicly invited impacted individuals from all nine universities to seek legal advice through dedicated contact channels.