Hacker paid off after personal information of NUI Galway alumni breached

University’s foundation mailing list suffers cyber attack

Blackbaud, a company Galway University Foundation uses to manage its database of contacts, was the target of a ransomware hack

Blackbaud, a company Galway University Foundation uses to manage its database of contacts, was the target of a ransomware hack

 

Personal information of NUI Galway alumni was breached in a recent cyber-attack targeting a company linked to the university’s fundraising foundation.

In an email on Wednesday, Galway University Foundation notified individuals on its mailing list their data had been subject to a cyber-attack. Credit card and bank account details were not compromised.

Blackbaud Inc, a company the foundation uses to manage its database of contacts, was the target of a ransomware hack. This is where cybercriminals shut down an individual computer or company system and demand money to restore it to normal.

In an email, seen by The Irish Times, the university foundation said it had “immediately launched our own investigation,” and had reported the matter to the Data Protection Commissioner. The hack took place in May.

University foundations are entities set up often to raise funds from donors and alumni.

Dónal Cahalane, finance director of Galway University Foundation, told those on its mailing list and alumni network a “limited amount” of their personal information may have been breached in the hack.

“At this time, we understand Blackbaud discovered and stopped a ransomware attack. This incident has affected several universities and other Blackbaud not-for-profit clients internationally,” the email said.

The company stopped the cybercriminal from shutting down its system and locked the hacker out.

“However, before being locked out, the cybercriminal removed a copy of a backup file containing personal information including a subset of NUI Galway data,” Mr Cahalane said.

The cybercriminal did not access credit card information or bank account details, and students’ data was not affected by the hack, the email said.

“Blackbaud has determined that the file removed may have contained names; contact information including telephone numbers, email addresses, and mailing addresses; and a history of our alumni and supporters relationships with our organisation up to that point,” Mr Cahalane said.

Blackbaud had paid the cybercriminal to destroy their copy of the data stolen in the hack, he said.

Not party to decision

NUI Galway was “not party to the decision to make this payment and only became aware of this payment after it had occurred,” he said.

“Based on the nature of the incident, their research, and a third party (including law enforcement) investigation, Blackbaud do not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly and are continuing to monitor this,” he said.

As a result of the hack the university would review its relationship with the third party service provider Blackbaud, he said.