University Incurs Second Data Breach in a Year

The University confirmed the breach which took place in May to students today through email.

The University of York has incurred its second data breach of the last 12 months, York Vision has learned. Student, staff, and alumni information from private cloud computing provider Blackbaud were accessed by a cybercriminal in May but University officials were only informed of the incident on 16 July.

This latest cyberattack is believed to involve a number of UK and US healthcare, educational and non-profit organisations. It is not yet known how many of Blackbaud’s clients were affected by the attack.

Data trusted to third-party service provider, Blackbaud, one of the world’s largest providers of management systems for the higher education sector, was stolen in a ransomware attack where hackers were able to obtain data from a number of Blackbaud’s clients, including the University.

The University told those affected that Blackbaud met the ransomware demand, and had “received assurances” that the stolen data had been destroyed. It has not been confirmed what ransom was paid or how these assurances were made.

Students were informed of the attack on today, five days after the University became aware of the problem.

The University has stated that the data accessed by the hacker “may have contained” addresses and contact information, as well as course and educational attainment details. 

Blackbaud’s website states that no credit card or bank account details were stolen in the attack but how many people the attack has affected and or how much information was stolen by hackers is still unconfirmed.

The University of York has stated that a “detailed forensic investigation” has been undertaken by Blackbaud, law enforcement, and third-party cyber security experts. It has asked students and staff to “remain vigilant”, and to report any suspicious activity or suspected identity fraud to the relevant law enforcement authorities. 

The University of York has also released a statement saying they “are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security”.

This is not the first time the University’s data has come under attack. In July 2019, the BBC reported that the data of almost 4,500 students was stolen by hackers. While the majority of information stolen in 2019 was “very basic” according to a University Spokesperson, administrative records of 88 students were accessed by the hackers.

A spokesperson for the University told York Vision: “We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response”.

Blackbaud has been contacted for comment.

Image Credit: Alex Holland