It has been reported that a Sheffield university has confirmed it was one of more than 20 charities and educational institutions across the UK, US and Canada to have had data stolen after hackers attacked a cloud computing provider. Sheffield Hallam University said it believes that the “names and contact details for alumni, donors, and other stakeholders” were taken during the cyberattack in May. The hack targeted Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software. Sheffield Hallam said that it is managing the incident “in accordance with its data security procedures” after confirming that it had been affected.
Commenting on this, Jonathan Knudsen, senior security strategist at Synopsys, said "The aftershocks from the Blackbaud compromise continue to ripple outward, causing heartburn, financial damage, and reputational damage in equal parts. How can we learn from this incident? First, every organisation is a software organisation, regardless of underlying mission or purpose. The immediate consequence is that every organisation must manage the risk of software misconfigurations, mistakes, and mischief. Every organisation must have a software security awareness, with plans and processes for minimizing the business risk that is associated with the software it is using.
Second, the Blackbaud incident shows that managing software risk has a larger scope than just one organisation. The software security deficiencies of partner or supplier organisations become your own problems when you depend upon them for delivering products or services. Correctly managing software and business risk encompasses managing risk from external vendors. It is easy to take software for granted as just part of doing business, but it is crucial to understand that the software we all use is itself a significant source of risk and must be managed just like any other business risk."