The University of York has announced that a ransomware attack suffered by its CRM provider Blackbaud resulted in a cyber criminal stealing the personal information of its alumni, staff, and students and using the data to demand ransom from the company.

The ransomware attack took place in May and despite various cyber security protocols put in place by Blackbaud, the hacker was able to remove a copy of a subset of data from the firm’s self-hosted environment. The compromised data included information belonging to the University of York as the university used Blackbaud’s CRM system to record engagement with members of its community, including alumni, staff, and students.

In a data security incident notification posted on its website, Blackbaud said that its cyber security team was able to prevent the hacker from blocking its IT system and fully encrypting files after the ransomware attack was detected. However, they were not able to prevent the hacker from stealing a subset of data that stored information belonging to its clients.

“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” the firm said.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment.

“The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” it added.

Ransomware attack compromised the personal data of allumni, staff, and students of the University of York

According to the University of York, they were notified about the ransomware attack and the compromise of member records by Blackbaud on 16th July, following which the university carried out an investigation to determine how much of its data was accessed by the hacker who succeeded in forcing Blackbaud to pay a ransom.

The university said that the compromised information included names, titles, gender, dates of birth, student numbers, addresses, phone numbers, email addresses, and LinkedIn profile URLs of members of the University community.

The breach also compromised details of qualifications, courses attended, extracurricular activities, fundraisig activities, records of members’ engagement with allumni, event participations, volunteering, professional details, as well as information about members’ interests that were obtained through surveys.

Even though Blackbaud assured the University of York that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed, the university informed the Information Commissioner’s Office about the incident, notified affected members, worked with Blackbaud to ascertain the reason behind the delay between them finding the breach and notifying it, and is taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected.

“We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. We very much regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement,” the university added.

According to Jeremy Hendy, CEO at Skurio, universities have complex digital ecosystems, with student and staff data potentially flowing through thousands of different technologies – many of which may not be visible. Therefore, universities must enforce security standards with their own suppliers, require ISO certification, and set mandatory requirements for data processing.

Dr Kiri Addison, Head of data science for threat intelligence and overwatch at Mimecast, said that to minimise the threat of ransomware attacks, organisations must implement adequate resiliency measures to preserve business-as-usual should the worst happen. Non-networked backups and a fallback email and archiving process need to become standard security measures if organisations are to significantly mitigate ransomware threats.

“Individual users can also assist greatly by being aware of the potential for unsafe attachments,but should also be wary of clicking any email links received in any communication, as criminals are increasingly utilising URL links rather than file-based attachments to infect networks,” she added.