Cyber Incident Victim: University of Surrey

In 2020, a ransomware attack targeted Blackbaud, a cloud computing provider servicing educational institutions, including the University of Surrey. The breach resulted in unauthorized access to confidential personal data belonging to students, staff, and partners of the university. Stolen information included names, dates of birth, addresses, phone numbers, and email addresses. Blackbaud notified the University of Surrey of the incident earlier in the summer of 2020, prompting the university to launch an immediate investigation. The University of Surrey confirmed that data it had entrusted to Blackbaud was compromised but asserted that affected individuals only needed to maintain normal day-to-day online security precautions, downplaying the necessity for additional protective measures. The breach impacted multiple UK universities, with the University of Surrey named alongside institutions such as the University of York, University of Leeds, and King’s College London.

Legal firm Simpson Millar initiated investigations and proceedings after hundreds of individuals from nine UK universities expressed concerns about the breach. Robert Godfrey, Head of Professional Negligence at the firm, characterized the incident as a "clear violation of GDPR and data protection rules," asserting that affected individuals had valid claims for damages due to distress and potential future risks like targeting at home or work. The University of Surrey faced allegations of insufficient data protection measures, though its spokesperson emphasized it was one of many affected institutions and highlighted prompt notification efforts. No comment was provided by Blackbaud. Affected parties were directed to contact Simpson Millar for legal advice, reflecting widespread anxiety and the anticipated need for personal support networks among victims. The incident underscored systemic risks associated with third-party vendor dependencies in higher education data management.