University of York provider pays ransom after cyber-attack

The University of York has launched an investigation after a cyber-attack, in which personal details of students, staff and alumni could have been stolen by hackers.

It comes after Blackbaud, which provides a customer relationship management system for the university, was hit by a ransomware attack in May 2020.

The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data. 

Blackbaud paid a ransom and has "received assurances from the cybercriminal that the data had been destroyed", according to the university.

The university said it uses this system to record engagement with members of the university community, including alumni, staff and students, and extended networks and supporters.

An investigation by Blackbaud found that no encrypted information such as bank account details or passwords has been compromised, the university explained.

What information was involved?

The University of York said details which may have been accessed include:

• Basic details e.g. name, title, gender, date of birth

• Addresses and contact details

• Course and exam results

• A record of fundraising activities

• Professional details

• Information about interests

A University of York spokesperson said: “We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response.

"The third-party supplier, Blackbaud, has confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible. Under our GDPR obligations we have made a formal report to the Information Commissioner’s Office.

"There is no need for our community to take any action at this time - as a best practice, we recommend people remain vigilant.”