Data Breach: University of York Staff and Student Records Stolen in Third-Party Cloud Service Provider Ransomware Attack

Yesterday, the University of York disclosed a security incident that affected Blackbaud, a third-party service provider offering customer relationship management (CRM) tools for nonprofits and educational organizations.

According to a data breach memo, Blackbaud fell victim to a ransomware attack earlier in May, when the attackers infiltrated their systems and were able to “remove a copy of a subset of data from a number of their clients,” including University of York.

As per a detailed forensic investigation reported by Blackbaud, the data accessed by the cybercriminals included:

• Personal identifiable information such as name, title, gender, date of birth, student number, phone, email address, LinkedIn profile URL • Course and educational details • Records of fundraising activities with alumni • Professional details

The report also reveals that Blackbaud “met the cybercriminal’s ransomware demand.” After payment, the cloud service provider highlighted that it even received “assurances from the cybercriminal that data had been destroyed.”

The company also confirmed that no encrypted information such as account details or passwords were accessed during the attack, and no credit card or other financial details were part of the exfiltrated data.

“The cybercriminal did not access credit card information, bank account information, or social security numbers,” Blackbaud said. “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Despite these assurances, University of York officials claimed to have launched their own investigation, and informed the Information Commissioner’s Office (ICO) of the breach.

“We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security,” reads the data breach notification.

While the educational organization said “there is no need for our community to take any action at this time,” students and staff members are advised to remain vigilant and monitor their accounts for any suspicious activity.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Alina Bizga. Read the original post at: