THE University of York has launched an investigation after a serious cyber-attack, in which personal details of students, staff and alumni may have been stolen by hackers.

It said Blackbaud, which provides a customer relationship management system for the university, was hit by a ransomware attack in May 2020. However, it only informed the university on July 16, while the university only shared details of the breach yesterday (Tuesday).

The cybercriminal removed a copy of a subset of data from a number of Blackbaud clients, which included the University of York.

The university said it uses this system to record engagement with members of the university community, including alumni, staff and students, and extended networks and supporters.

A university spokesperson said: “We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response.”

The university confirmed that data stolen by the cybercriminal may have contained information including basic details such as name, title, gender, date of birth and student number; addresses and contact details; course and educational attainment details; professional details, such as the profession people work in; a record of engagement with alumni and fundraising activities; and information about people’s interests they have provided to the university. 

It added that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts.

The investigation found that no encrypted information, such as bank account details or passwords, was accessible, and no credit card information formed part of the data theft, Blackbaud confirmed.

In order to protect customers’ data and mitigate potential identity theft, Blackbaud paid the criminals an undisclosed amount as a ransom, according to the university.

It said the company "received assurances from the cybercriminal that the data had been destroyed."

The university has informed the Information Commissioner’s Office (ICO) of the breach and is awaiting further guidance.

It is taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected.

The university spokesperson commented: "There is no need for our community to take any action at this time - as a best practice, we recommend people remain vigilant.”

One former student, who didn’t want to be named, said: “This sounds like it could have affected hundreds of thousands of people and, though bank details aren’t involved, it’s still a pretty serious security breach. The fact that the university states Blackbaud has received assurances from the cybercriminal that the data has been destroyed is really no kind of reassurance to anyone whose data has been stolen.”

A spokesperson for York St John University has confirmed that it has not been affected by this attack.

Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.

The company has issued a statement saying: "In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminalout, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."