The National Trust is the latest of more than 80 organisations to have personal data stolen by a hacker who has been paid off with ransom money.
The scale of the major security breach is growing by the day as more British universities, charities and not-for-profit organisations issue warnings about their involvement.
Museums, schools, churches and food banks are also said to have had private data taken by the ‘cyber-criminal’ who hacked into an American technology company’s vast vault of data.
Information about millions of people was copied by the unidentified criminal who gave assurances that it had all been ‘destroyed’ after a ransom was paid.
Blackbaud, who provide data management and cloud software systems for the non-profit sector, suffered the data theft in May but didn’t warn organisations whose data was taken until July.
The hacker tried to block Blackbaud from using its own system. This was foiled by company’s security team working with ‘law enforcement’, but a ‘subset of data’ was removed.
The Information Commissioner’s Office in the UK is investigating but, along with Blackbaud, has refused to release a list of victims.
No credit card or financial information was taken but the data did include personal information such as names, dates of birth, addresses and employment history.
The National Trust said that data about its volunteering and fundraising communities had been involved, but not its wider 5.6 million members.
The organisation – which looks after historic buildings and gardens – added that an internal investigation was under way to assess if further action was needed.
Jon Townsend, Chief Information Officer, said: ‘We take our data protection obligations extremely seriously. As soon as we became aware of this incident, we launched an internal investigation and are working with the third-party supplier, Blackbaud, to assess whether any further action is needed.
‘This affected our volunteering and fundraising community and did not involve any data from our membership database. We are currently in the process of identifying and informing those affected.
‘We have been told that no financial data, credit card, account details or passwords were accessed as a result of the Blackbaud breach and understand that any data that was accessed has since been destroyed.’
There has been widespread concern about Blackbaud relying on assurances from the hacker that all stolen data has been destroyed.
Dozens of universities have had data about students, former students, staff and donors stolen. They include the universities of Durham, Birmingham, Bristol, Exeter, Glasgow, Sheffield Hallam, Oxford Brookes, Aberystwyth, Reading, York, Leeds, Manchester, Sussex, South Wales, London, Newcastle, Northampton Loughborough, De Montfort, University College and Brasenose College in Oxford, King’s College and Brunel University in London, Selwyn College in Cambridge and Aston University in Birmingham.
A long list of charitable organisations have also publicly revealed a potential data loss.
They include Young Minds mental health charity, Sue Ryder the terminal illness charity and the homeless charity Crisis. Breast Cancer Now and Action on Addiction are also on the list.
An ICO spokeswoman said ‘multiple’ organisations in the UK had been hit.
She said: ‘People have the right to expect that organisations will handle their personal information securely and responsibly. If an individual has concerns about how their data has been handled, they should raise it with the organisation first then report them to us if they are not satisfied with the response.’
Data from education institutions in North America and Europe was also taken.