Students told to ‘remain vigilant’ as security breach affects University of York

Third-party service provider Blackbaud has been victim of a ransomware attack

Students have been told to “remain vigilant” after a security breach at the University of York has made personal details available to a cyber-criminal.
An email sent by the university has informed students about a security incident with third-party service provider, Blackbaud. Although the university has stated that ‘there is no need for you to take any action at this time’, it has also been established that the incident ‘may have involved your personal information’.
Under a heading titled “what happened”, the email explains that the university was contacted on 16 July by Blackbaud, described in the email as “one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector.” Blackbaud informed the university that the ransomware attack had occurred in May 2020 and that as a result of this, the University of York, amongst other clients, had a subset of data accessed and copied by the cyber-criminal. The email explains that the university use Blackbaud to “record engagement with members of the University community, including alumni, staff and students, and extended networks and supporters.”
The university reassures that:
  • A detailed forensic investigation by law enforcement and third-party cyber security experts was undertaken on behalf of Blackbaud
  • It has been confirmed by Blackbaud that no encrypted information such as bank details or passwords was accessed
  • It has also been confirmed by Blackbaud that no credit card information was accessed in the attack.
However, the email contains a list of information that may have been accessed by the cyber-criminal:
  • Basic details e.g. name, title, gender, date of birth and student number
  • Addresses and contact details e.g. phone, email and LinkedIn profile URL
  • Course and educational attainment details, e.g. what qualification you received and some of the extracurricular opportunities you participated in while studying at York
  • A record of your engagement with alumni and fundraising activities e.g. enquiries, event participation, volunteering, donations, and any other interactions you have with us
  • Professional details, e.g. the profession you work in and your employer
  • Information about your interests you have provided to us e.g. in response to one of our surveys.
The university has stated that in order to protect customers data and mitigate potential identity theft… Blackbaud has advised us that it paid the ransom and received assurances from the cyber-criminal that the data had been destroyed. The email also informs that the university has launched their own investigation.
Under a heading titled “What do you need to do?”, the university states that “There is no need for you to take any action at this time. As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or identity theft to the proper law enforcement authorities.”
The email closes with:
“We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team.”
You can keep up to date with how the university is responding to this issue here.