Data stolen from UK universities in ransomware attack

Stephen Chapman's picture
by Stephen Chapman

The University of York and Leeds University are among a number of UK universities to have student and alumni data stolen in a ransomware attack.

It comes following an attack on education administration software firm, Blackbaud in May this year.

The company, said:

“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers.”

However, Blackbaud did pay the hacker an undisclosed amount:

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Leeds University released a statement to say:

"We want to reassure our alumni that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected. No action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant.”

The University of York says it takes data protection responsibilities “very seriously” and immediately launched its own investigation and has informed staff, students and the Information Commissioner’s Office.

A spokesperson added that they are "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.”

Human Rights Watch, which was also impacted by the attack said it no longer uses Blackbaud to process new credit card or donor information.

Blackbaud, which is based in South Carolina, is one of the world’s biggest providers of education, administration, fund-raising and financial management software.

Update:

This morning, the Unviersity of Manchester has confirmed that it too was a victim of the attack. In an email it said that it had commenced a thorough investigation and had also informed the ICO about the breach. It had also asked Blackbaud to "detail the steps that it will take to ensure that it will not be affected by similar incidents in the future."