Since the start of the COVID-19 outbreak, the rate at which cyberattacks are growing is a worrisome matter. While everything is going online, it also gives cybercriminals a chance to get their hands on sensitive or important data. Although organizations all over the world are doing everything to keep their security protocols up-to-date, these cybercriminals are still able to find vulnerabilities. So today, we’ll be looking into a recent Blackbaud hacking incident that took place during the COVID-19 pandemic and the new security program Apple is working on to make iPhone more secure.
Blackbaud Hack: A Ransomware Attack Incident that stole Universities data
About eight universities in Canada and the UK got their data stolen regarding alumni and students after a group of hackers targeted a cloud service provider. Some of the social volunteer and welfare organizations like Young Minds, Human Rights Watch, and the children’s mental health charity also claimed to have been affected by the cyberattack. This time, the hackers targeted Blackbaud, which is one of the largest software providers for fundraising, financial management, and education administration in the world.
For your information, the systems of US-based company, Blackbaud, was hacked in May, but they did not disclose this information until July. According to sources, they also paid hackers an undisclosed ransom to keep their mouth shut. The data breach was limited to that of ex-students in some cases, who were asked to support their graduation establishments financially. But in others, it went deep down to staff, current students, and other supporters.
According to BBC, the universities and colleges affected by the cyberattack are:
- Oxford Brookes University
- Young Minds
- University of Reading
- University of York
- Human Rights Watch
- University College, Oxford
- Rhode Island School of Design in the US
- University of London
- Loughborough University
- Ambrose University in Alberta, Canada
- University of Leeds
As a result, all the universities and colleges have to send apology letters to everyone whose database got compromised. Blackbaud did not provide a clear picture regarding who was affected by the incident, claiming that they want to respect the privacy of their customers. In a statement provided to the BBC, they said: “We discovered and stopped ransomware attack in May 2020. But before we take any action, the cyber-criminal removed the copay of data subset from our self-hosted environment. After that, we paid the ransom demand.” Well, it is not illegal to pay the ransom, but it’s against the rules of law enforcement agencies like the FBI, Europol, and NCA.
Blackbaud did mention that they made sure that the copy of data removed by hackers had been destroyed. The clients that were not affected by the incident are:
- The University of the West of Scotland
- Islamic Relief
- University College, London
- Prevent Breast Cancer
- Queen’s University Belfast
Later on, Blackbaud officials said that they are working with third-party investigators and law enforcement agencies to check whether the data got circulated or sold on the dark web or not.
Privacy Law says in this matter.
- Under GDPR (General Data Protection Regulation), companies must report a significant data breach to responsible authorities within 72 hours of the incident. Or else, they have to face potential fines.
- The Information Commissioner’s Office (ICO) of the UK, along with Canadian Data Authorities, both were informed regarding the breach last weekend in July 2020 – weeks after the incident happened.
- A spokeswoman of ICO said: “Blackbaud reported the hacking incident that affected multiple data controllers to the ICO. We are investigating the matter with Blackbaud and the respective controllers, and ask all affected clients to evaluate whether they have to individually report the incident to the ICO or not.“
In a statement released by the University of Leeds, they said: “We assure our alumni that since we came to know about this hacking incident, we are working tirelessly to investigate the matter. Our alumni community do not have to take any action this time, although, we suggest everyone to remain vigilant right now.”
Apple’s New Security Programme to Make iPhones More Secure
Apple is introducing a new security program in which they will give privileged access to special iPhones that security researchers will use to spot the vulnerabilities. Those researchers will be responsible for reporting those vulnerabilities back to the company. This new program will not help Google teams that are finding bugs in Apple devices for so many years.
The SDR (Security Research Device) will only be used in controlled settings on a 12-month renewable basis by the security research. It will remain Apple’s property. Currently, the security researchers have to jailbreak the iPhone to find the vulnerabilities. This process has several limitations, similar to older devices.
The new Apple’s Security Programme will enable researchers to pin-point vulnerabilities with dedicated iPhone hardware, SDR. The company said: “The devices are not for personal use and will remain on the program participants premises all time. Only the people authorized by Apple will have access to SRDs.” But this move is not going to benefit Google’s Project Zero Team.
“It seems that we won’t be using Apple SRDs because of vulnerability disclosure restrictions whose purpose is to exclude Project Zero and researchers who us 90-day policy. In 2014 or early 2015, we first asked Apple for a security research test device, and since then, we reported over 350 security vulnerabilities to the company,” tweeted Ben Hawkes, team lead of Project Zero.
Although, the Project Zero team plans to continue its research on Apple platforms and provide them the reports of their findings. Apple also mentioned that the security researched will have shell access and can choose entitlements and run any tools. If a researcher is using Security Research Device to find, test, verify, confirm, or validate a vulnerability, then he/she must report it to Apple. In case the bug is in the third-party code, then inform it to that party. If you are not using SRD for security research work, then it’s not compulsory to report back to Apple. Despite this, the company encourages you to do so by giving appropriate rewards.
The device availability is limited at the moment, so only a few selected candidates can participate in it. Qualified applicants who might not receive the device will automatically get considered during the year-2021 application period. Apple also said that not all researchers would be eligible for the program, and the participation in the SRD Programme is subject to review.