[BreachExchange] University of York discloses data breach, staff and student records stolen

[Destry Winant]

https://www.zdnet.com/article/university-of-york-discloses-data-breach-staff-and-student-records-stolen/

The University of York has disclosed a data breach caused by a
cyberattack experienced by a third-party service provider.

Personal information belonging to "alumni, staff and students, and
extended networks and supporters" is thought to have been stolen
during the incident, although the number of individuals potentially
impacted has not been disclosed -- nor how many years back the stolen
records relate to.

According to the academic institution, names, titles, genders, dates
of birth, student numbers, phone numbers, email addresses, physical
addresses, and LinkedIn profile records may have been taken. In
addition, course information, qualifications received, details
surrounding extracurricular activities, professions, employers, survey
responses, and both documented alumni and fundraising activities may
have been exposed.

The university says that a ransomware attack against Blackbaud, a
third-party cloud computing provider, was the cause of the data theft.
Blackbaud provides customer relationship management (CRM) services to
the University of York.

Blackbaud experienced a cyberattack in May 2020. The company says that
cybercriminals were able to "remove a copy of a subset of data from
our self-hosted environment" before being booted from the network, and
while Blackbaud insists that the attackers were not able to fully
deploy ransomware and encrypt or lock up its systems, a ransom was
still paid.

"Because protecting our customers' data is our top priority, we paid
the cybercriminal's demand with confirmation that the copy they
removed had been destroyed," Blackbaud said in a public notice on July
16. "We have no reason to believe that any data went beyond the
cybercriminal, was or will be misused; or will be disseminated or
otherwise made available publicly."

Blackbaud says the data breach did not include any encrypted data,
such as bank account details, credit card information, or user account
credentials.

The University of York was informed that its information was involved
on the same day as the public notice. While Blackbaud paid up, there
is no guarantee the information was destroyed as agreed, and so the
university has also launched its own investigation and has informed
staff, students, and the UK's Information Commissioner's Office (ICO)
of the incident.

In addition, the University of York says it "is working with Blackbaud
to understand why there was a delay between them finding the breach
and notifying us, as well as what actions they have taken to increase
their security."

"We very much regret the inconvenience that this data breach by
Blackbaud may have caused," the university added.

ZDNet has reached out to the University of York with additional
queries and will update when we hear back.