Leeds Alumni Take Legal Action over Data Breach

Former University of Leeds students have taken legal action against the University following a data breach back in May 2020. 

The attack, which also extended to other universities including Reading, Birmingham, Surrey and Kings College London, saw private details such as names, address, dates of birth, phone numbers and email addresses compromised in a ransomware attack. 

According to LeedsLive, the former students of the University of Leeds are just some of a larger group taking their respective institutions to court. 

Among other universities currently facing legal action are the University of Cumbria, Newcastle University and the University of Surrey.

While the original data hack occurred in May, it is believed only formers students have been affected – the University of Leeds alumni were only informed of the breach in July. 

Criminals hacked into the university’s virtual platform, Blackbaud. 

Blackbaud, a US-based company, is a cloud software which describes itself as serving “the entire social good community, which includes non-profits, foundations, corporations, educational institutions, healthcare institutions and the individuals who support all of them.”

Indeed, numerous companies, within the UK and internationally, reported being affected by the data breach. Such organisations include charities, schools, public radio stations, religious organisations and universities. 

According to a statement released by Blackbaud, the company paid to have the compromised data destroyed with confirmation. However, one expert who spoke to the BBC questioned whether the validity of this confirmation could be assured. 

Legal firm Simpson Millar is working with a number of those affected by the data breach on the basis that universities violated data protection and GDPR rules. 

The firm is also currently conducting an investigation to understand the full extent of the incident. 

Robert Godfrey, Head of Professional Negligence, called the data breach ‘deeply concerning’.

He said: “We have had members of the universities contact us who are quite rightly very concerned. We are actively investigating potential claims on behalf of people directly affected by this serious breach. This is a clear violation of General Data Protection Regulation (GDPR) and data protection rules.”

He argues that universities have a duty of care to protect the privacy of their students, former students and staff. 

He also encouraged anyone affected by the breach to get in contact. 

“I am confident any person whose details have been accessed could have a valid claim. It is clear there has been of breach of individuals’ right to privacy and the universities are ultimately responsible. There is a clear entitlement to compensation for any upset, injury and cost of support and disruption to their lives.”

When contacted, a spokesperson for the University of Leeds said: “We are not aware of any group action being launched against the University.”

Back in July, when the University first addressed the hack, they said in a statement:  “We take the issue of data protection very seriously and are sorry for any concern caused to our alumni community and want to reassure them that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected.

“Blackbaud assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information, and no action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant.”

Photo Credits: Bowman Riley