Hackers secured access to the online system – Blackbaud – last month
Students, staff and partners of universities across the UK who may have had their personal details leaked online are preparing to take legal action against the organisations amidst concerns that more should have been done to protect their data.
Confidential information including names, dates of birth, addresses, phone numbers and email addresses are thought to have been stolen by hackers in the ransomware attack which took place this year on Blackbaud – a cloud computing provider that serves non-profits, foundations, corporations, education institutions and healthcare organisations.
An investigation is currently underway to determine the full extent of the breach, with institutions including York University, South Wales University, Cumbria University, Leeds University, Birmingham University, Newcastle University, Reading University, Surrey University and Kings College London affected.
Hundreds of site users have since expressed their concern over the breach, and dozens of individuals have now instructed law firm Simpson Millar to begin investigations and to start legal proceedings.
Robert Godfrey, Head of Professional Negligence at Simpson Millar solicitors – who is also handling hundreds of data breach claims for hacked easyJet customers, as well as members of the British Dental Association who have also been affected by leaked information – said the data breach was ‘deeply concerning’.
He says anyone affected by the breach could have a valid claim for damages against the University of Cumbria for the distress caused by the ordeal.
He said: “We have had members of the universities contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of GDPR and data protection rules.
“I am confident any person whose details have been accessed could have a valid claim. It is clear there has been of breach of individuals’ right to privacy and the universities are ultimately responsible. There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives.
“Many will be anxious and fear they will be targeted at home or work in the future.
“There is no doubt that the affected people are going to need support in this difficult time both from their family and friends. We’ve had individuals from nine UK universities approach us, so this breach can be expected to have had a significant impact on a large number of people.
“The universities have a very clear duty of care to ensure that the members of their sites, who hand over their confidential information to them have their data secure and protected, are not exposed such as has happened in this breach.
“We would strongly suggest that those who are contacted by the universities involved should seek legal advice about their options as a result of this breach.”
The University of Cumbria declined to comment.
Those seeking advice are urged to contact Mr Godfrey of Simpson Millar on 0800 260 5010.