Bletchley Park visitors warned of data breach after Blackbaud ransomware attack

Some years ago I visited the fabulous site of Bletchley Park, home of the UK’s then-secret code-breaking efforts during World War II, where Alan Turing and other brilliant minds cracked encrypted messages sent by the Nazis.

So when I received a letter from Bletchley Park in the post today, I imagined it would invite me to return, containing information about how they’re handling visits during the pandemic.

Unfortunately, the news wasn’t so good.

Part of the letter reads:

“We were recently notified by Blackbaud, one of our software supplies, that they have suffered a data brech due to a ransomware attack of their own system. Blackbaud is one the world’s largest providers of customer relationship management services. You may be aware from the news that a significant number of universities and charities here and world-wide have been affected by the issue. Unfortunately, this list includes Bletchley Park Trust.”

“The breach contains some of your personal information, which may include one or more data fields, such as your name, title, date of birth, email address, donation history, mailing or e-newsletter list preference, event attendance or membership, depending on your engagement with the Bletchley Park Trust. However, we would like to stress that Blackbaud has assured us that the issue has been resolved and that the data is secure.”

The letter goes on to explain that Blackbaud discovered and stopped a ransomware attack against its systems in May, but took until 16 July 2020 to contact Bletchley Park and tell its data had been affected by the breach.

Blackbaud ultimately decided to pay the cybercriminals who attacked its systems and compromised the data of many organisations.

As the letter describes, Blackbaud’s cybersecurity team believes that it is now storing data securely, and that it has “no reason to believe that any data went beyond the cybercriminal and that the data was deleted after they paid a ransom.”

Let’s hope they’re right.

In the letter the Bletchley Park Trust goes on to apologises”for any inconvience” and says that it is “extremely disappointed” that the security breach occurred.

Bletchley Park says that it is reviewing how it stores its data, and its future relationship with Blackbaud in light of the security breach.

Bletchley Park, and the attached National Museum of Computing, make for a terrific day out – and I strongly recommend you spend a day there if you get the chance.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.