University of York discloses data breach, staff and student records stolen

Third-party cloud service provider Blackbaud has been blamed.
Written by Charlie Osborne, Contributing Writer

The University of York has disclosed a data breach caused by a cyberattack experienced by a third-party service provider. 

Personal information belonging to "alumni, staff and students, and extended networks and supporters" is thought to have been stolen during the incident, although the number of individuals potentially impacted has not been disclosed -- nor how many years back the stolen records relate to. 

According to the academic institution, names, titles, genders, dates of birth, student numbers, phone numbers, email addresses, physical addresses, and LinkedIn profile records may have been taken. In addition, course information, qualifications received, details surrounding extracurricular activities, professions, employers, survey responses, and both documented alumni and fundraising activities may have been exposed. 

See also: Amtrak discloses data breach, potential leak of customer account data

The university says that a ransomware attack against Blackbaud, a third-party cloud computing provider, was the cause of the data theft. Blackbaud provides customer relationship management (CRM) services to the University of York.

Blackbaud experienced a cyberattack in May 2020. The company says that cybercriminals were able to "remove a copy of a subset of data from our self-hosted environment" before being booted from the network, and while Blackbaud insists that the attackers were not able to fully deploy ransomware and encrypt or lock up its systems, a ransom was still paid. 

CNET: Twitter cracks down on thousands of QAnon accounts

"Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed," Blackbaud said in a public notice on July 16. "We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."

Blackbaud says the data breach did not include any encrypted data, such as bank account details, credit card information, or user account credentials. 

The University of York was informed that its information was involved on the same day as the public notice. While Blackbaud paid up, there is no guarantee the information was destroyed as agreed, and so the university has also launched its own investigation and has informed staff, students, and the UK's Information Commissioner's Office (ICO) of the incident. 

TechRepublic: Remote working: We're stressed and distracted and making these security errors

In addition, the University of York says it "is working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security."

"We very much regret the inconvenience that this data breach by Blackbaud may have caused," the university added. 

ZDNet has reached out to the University of York with additional queries and will update when we hear back.

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards