Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.
Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.
Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.
According to BBC News:
Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.
Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.
The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.
You can read the full article from the BBC here.
How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.
There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.
If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.
The popular Android app store Aptoide has apparently been breached, with millions of users having their data stolen by a hacker.
Aptoide is a third-party app store, meaning it isn’t operated by Google or provided by a smartphone manufacturer, and claims to have over 150 million users, 7 billion downloads, and 1 million apps.
However, its popularity has now made it a target for a hacker, who has seemingly stolen the details of 39 million users and published 20 million of those online.
According to ZDNet:
The leaked information, which ZDNet obtained a copy with the help of data breach monitoring service Under the Breach, contains information on users who registered or used the Aptoide app store app between July 21, 2016, and January 28, 2018.
Data leaked today that can be classified as “personal identifable information” includes details such as the user’s email address, hashed password, real name, sign-up date, sign-up IP address, device details, and date of birth (if provided).
Other details also include technical information such as account status, sign-up tokens, developer tokens, if the account was a super admin, or referral origin.
You can read the full article at ZDNet here.
Aptoide has subsequently taken steps to improve its security systems, and in a statement on their website stated:
We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.
Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe.
Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward.
Read the statement in full here.
While you should always be careful about using third party apps, Aptoide has generally been considered one of the more secure and it’s clear that they are taking positive steps in the wake of this breach to protect users and learn from the experience.
However, this also demonstrates the importance of not reusing usernames and passwords across multiple platforms. Any users doing so whose data was stolen will now find themselves at risk if they used the same credentials elsewhere.
If you’re concerned about how your organisation should respond to a data breach of this sort, contact us today to get our expert advice.
900,000 people have been hit by a Virgin Media data breach in which a database containing personal details was accessible over the internet for 10 months.
The database contained details including email addresses, home addresses, and phone numbers, which were being stored for marketing purposes.
Virgin Media have stated that the breach took place due to the database being “incorrectly configured” by a member of staff. There was no hacking or malicious intent behind the breach, although it was also apparently accessed “on at least one occasion” by an unknown and unidentified user.
Zoe Kleinman, Technology Reporter at BBC News, stated that:
The fact that Virgin Media’s database hasn’t been actively hacked is reassuring for customers, but while the details are light, it sounds like human error is to blame and that is rather embarrassing for a tech firm.
Ten months is a long time for all that data to have just been sitting there, waiting to be found.
And while no passwords or bank details were among it, there’s an awful lot of contact information for a cyber-criminal to work with. Phishing expeditions – when someone tries to get financial information out of a victim by pretending to be a company with a legitimate reason for contact – are not particularly sophisticated, but they are effective for those caught off-guard, and can be a lucrative source of income.
It’s unclear whether this was yet another case of unsecured data being stored on a cloud service that’s easily searchable if you know how. There have been dozens of examples of this lately, including just this week a database of the personal details of people using train station wi-fi around the UK.
Virgin Media has apologised and really, there’s very little practical advice to offer in the light of this kind of breach, beyond the usual protocol of staying alert to any messages requesting personal information or access to any kind of finance.
You can read the full article on this story from the BBC, with Kleinman’s commentary, by clicking here.
This Virgin Media data breach is the latest in a series, from various organisations, which have seen databases left unsecured online. For example, a Microsoft database containing 250 million details was left exposed in December, as we reported here.
This is a worrying trend, and shows that these databases should be configured carefully by people who know the proper procedures and are fully trained and knowledgeable about cybersecurity.
Virgin Media has taken steps to close access the database, contact the ICO, and notify those affected by the breach, with advice about how to protect themselves from potential repercussions. While these are all positive steps, there’s no doubt that significant errors have been made and this breach could easily have been avoided.
If you want advice on how to protect user data, get in contact with our GDPR consultants today for invaluable, expert advice.