Cyber Incident Victim: University of Reading
Date:
Sep 2020
Location:
United Kingdom
Summary
A ransomware attack targeting Blackbaud, a cloud services provider, compromised personal data of individuals associated with multiple UK universities including the University of Reading. Confidential information such as names, contact details, and birthdates was exfiltrated, prompting legal investigations alleging inadequate data protection and GDPR violations by the institutions. Affected parties reported distress over potential privacy violations and future targeting risks, with a law firm initiating claims for compensation due to the breach's psychological impact. The university notified potentially impacted individuals but maintained that standard security precautions were sufficient, while the incident affected numerous educational institutions nationally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2020, Blackbaud, a cloud computing provider serving educational institutions including the University of Reading and at least nine other UK universities, suffered a ransomware attack. The breach compromised confidential personal data belonging to students, staff, and partners of these institutions. Stolen information included names, dates of birth, addresses, phone numbers, and email addresses. Blackbaud notified affected universities earlier in the summer of 2020, prompting immediate investigations. The University of Surrey—which publicly commented on behalf of multiple impacted institutions—stated it launched detailed inquiries and notified potentially affected individuals. Universities determined no specific remedial actions were required beyond normal security precautions, asserting that existing safeguards were sufficient despite the exposure of sensitive personal information.
Legal firm Simpson Millar initiated investigations and proceedings after hundreds of individuals from the affected universities expressed concerns about the breach. Robert Godfrey, the firm’s Head of Professional Negligence, characterized the incident as a clear violation of GDPR and data protection rules, emphasizing universities’ ultimate responsibility for safeguarding data. Affected individuals were advised they could pursue compensation claims for distress, anxiety about future targeting, and disruption to their lives. The breach impacted multiple institutions simultaneously through their shared third-party provider, with law firms reporting inquiries from individuals across all nine named universities. No public statements from Blackbaud regarding the incident were included in available reporting, and the University of Reading’s specific response actions beyond collective notifications weren’t detailed in disclosed materials.