More British universities have revealed that they were casualties of the data breach incident at cloud services supplier Blackbaud.
Newcastle University has now publicly disclosed that its data had been compromised by the breach.
Responding to a query from the BBC, a spokeswoman for the university said: “We were made aware of a security incident involving a service provider we use, BlackBaud, one of the world’s largest providers of alumni database software.
“We apologise for any concern or inconvenience caused… and we have initiated a security review.”
Blackbaud, which is headquartered in South Carolina in the US, has disclosed that it first became aware of the incident in May and has now confirmed that it paid the hackers a ransom.
However, clients of the firm, which include numerous British universities and charitable organisations, were only told of the breach on 16th July.
The company insists that the compromised data did not include payment card or bank account details, though a source has informed the BBC that other sensitive data pertaining to affected organisations’ donors was involved.
This included names, ages and addresses, employers, car licence numbers, estimated wealth, the amount of previous donations, the donor’s history of charitable donations and gifts, spouses’ identity, and estimated wealth and assets.
Blackbaud has so far refused to publicly name the affected clients, but the BBC has learnt that the breach affected numerous British universities and schools.
The schools include Radley College in Abingdon, St Aloysius’ College in Glasgow, and St Albans School in Hertfordshire.
The UK universities affected by the breach include the University of Cambridge’s Hughes Hall College and Selwyn College, as well as Oxford University’s Brasenose College.
More recently, the University of York, De Montfort University, King’s College London, Newcastle University, Aberystwyth University, and the University of South Wales have confirmed that some of their data had been stolen.
The list of affected UK universities and schools is considerably longer, however, and multiple schools and higher education colleges in the US and elsewhere were also affected, as well as numerous museums, charities, churches and food banks.
In a statement to the BBC, the UK’s Information Commissioner’s Office (ICO) confirmed that it was aware of 125 British organisations that had reported being affected by the incident to date.
An ICO spokeswoman said that people were entitled to expect that organisations will protect their personal data securely.
She added: “BlackBaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries.
“Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted.”
The security firm Redscan, meanwhile, has revealed that, based on Freedom of Information requests it had made, an estimated 54% of British universities have suffered some form of data breach during the last 12 months.
Redscan has also found that a quarter of the universities affected have not invested sufficiently in cyber security.
A quarter of the affected universities had confirmed that they had not conducted any external penetration testing, while almost a half had not provided their staff with adequate security training in the previous year.
Describing these security deficits as “concerning”, Redscan’s CTO Mark Nicholls said: “Breaches have the potential to seriously impact organisations’ reputation and funding.”