The University of York has launched an investigation after it had personal details of staff and students stolen by hackers.
As outlined in a statement on the university’s website, the source of the breach was an attack on a third-party service provider, tech firm Blackbaud, which fell victim to ransomware in May 2020. The University of York was first informed of the incident on July 16.
“The cyber-criminal was able to remove a copy of a subset of data from a number of their [Blackbaud’s] clients. This included a subset of University of York data.”
The university uses the Blackbaud system to record engagement with members of the university community, including alumni, staff and students and extended networks and supporters, it outlined.
In terms of the data stolen, the University of York stated this may have included information such as name, date of birth and student number along with address, phone number, email address and professional details.
However, it said that a Backbaud investigation found that no encrypted information, such as bank account details or passwords were accessed, whilst no credit card information formed part of the data theft either.
“We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cyber-criminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cyber-criminal that the data had been destroyed,” the statement continued.
“There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.”
The university’s own investigation into the incident is ongoing and it has notified the UK's Information Commissioner’s Office (ICO).
Commenting on the story, Jake Moore, cybersecurity specialist at ESET, said: “Every single day that an organization delays informing those affected is another day where their data is in the wrong hands and is at risk of being abused by criminals. Victims must be made aware at the earliest opportunity and organizations need to urgently understand the huge risk those affected are at.
“The ICO states they need to be informed of an attack within 72 hours and threaten organizations with hefty fines, but this still doesn’t mean they will be forced to pay. This in turn increases the possibility of such organizations being slow to react when making those affected aware of the risks, and puts people’s personal information in jeopardy.”