University of York hit by serious data breach as personal details of staff, students and supporters stolen

University of York Central Hall. Photograph: Arian Kriesch / Wikipedia
22 Jul 2020 @ 7.34 am
| News

University of York leaders have launched an investigation after personal details of its staff and students were stolen by hackers.

The university commissions US tech company Blackbaud to provide a customer management system.

Blackbaud was hit by a ransomware attack in May 2020, but only told the university on 16 July. The university, in turn, only informed those affected yesterday (Tuesday, 21 July).

The criminals extracted data containing personal details of “alumni, staff, students, and extended networks and supporters”.

This included their phone numbers and email addresses. Hundreds of people are thought to be affected.

University registrar Jo Horsburgh has written to those affected to urge them to “remain vigilant and promptly report any suspicious activity or suspected identity theft”.

She writes: “We very much regret the inconvenience that this data breach by Blackbaud may have caused you.”

The stolen data

Buildings on the Heslington East campus at the University of York. Photograph: Anna Gowthorpe/PA Wire

Blackbaud’s own investigation found “no encrypted information, such as bank account details or passwords” or credit card information formed part of the data theft.

What was stolen included:

  • personal details, eg name, title, gender, date of birth and student number (if applicable)
  • addresses and contact details, eg phone, email and LinkedIn profile url
  • education details, eg what qualification was awarded and extracurricular opportunities undertaken while studying at York
  • alumni and fundraising activities records, including participation, donations, and any other interactions
  • professional details, eg the profession you work in and your employer
  • information about people’s interests submitted in response to university surveys.

Blackbaud has paid the criminals an undisclosed amount as a ransom. The company “then received assurances from the cybercriminal that the data had been destroyed”.

University of York is carrying out its own investigation.

It has also informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance.

One alumni of the university told YorkMix: “It’s very worrying that so much of my personal information has fallen into the hands of criminals.

“How can we be sure they have destroyed it? They’re hardly the most trustworthy people.

“University of York should urgently consider severing its ties with this contractor, and review all its IT systems.”

If anyone would like to contact a member of the University of York team about the data breach you can email [email protected]. To speak to somebody directly, call on 01904 221889 today (Wednesday 22 July) between 10am and 5pm.