NUI GALWAY HAS confirmed it was one of more than 20 institutions across the world affected by hackers attacking a cloud provider. 

The university said it understood that “names, telephone numbers and email addresses” in its alumni database may have been targeted in the recent Blackbaud hack. 

The software giant – which provides relationship management systems for third level institutions – was held ransom by hackers in May and paid an undisclosed sum to cyber criminals. 

The US-based firm has declined to provide lists of those affected but institutions in the UK, US and Canada have been affected with the University of South Wales the most recent to confirm it had been hacked. 

In an email to alumni NUI Galway said it had been “reassured” that alumni data will not be misused and that cyber criminals did not access credit card or bank data. Student data was also not affected, it said. 

After discovering the attack, Blackbaud’s Cyber Security team – together with independent forensics experts and law enforcement – “successfully prevented the cybercriminal from blocking their system access and fully encrypting files,” the university said. 

This “ultimately expelled them from the system,” it added. 

“However, before being locked out, the cybercriminal removed a copy of a backup file containing personal information including a subset of NUI Galway data,” the university said. 

The files removed may have contained names, contact information including telephone numbers, email addresses and mailing addresses as well as a history of alumni and supporters relationships, according to the university.

Blackbaud paid the cyber criminal’s demand with confirmation that the copy they removed had been destroyed, NUIG said. 

“Based on the nature of the incident, their research, and a third party – including law enforcement – investigation, Blackbaud do not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly and are continuing to monitor this,” it continued.

“NUI Galway was not party to the decision to make this payment and only became aware of this payment after it had occurred,” it added. 

The university has launched its own investigation into the hack and said it is “reviewing” its relationship with the third-party service provider. It said it has also informed the Data Protection Commission of the incident. 

Blackbaud, a company based in South Carolina, has been criticised for not disclosing the hacking of its systems externally in May until July and for having paid hackers an undisclosed ransom.

“The majority of our customers were not part of this incident,” the company has said.

According to a statement on its website: “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”

The statement says Blackbaud paid the ransom demand. 

Blackbaud added that it had been given “confirmation that the copy [of data] they removed had been destroyed”.  

TheJournal.ie has contacted NUI Galway for comment.