GCHQ accredited university suffers data breach

University of York

The University of York, which is one of only 14 universities to offer a GCHQ accredited Masters degree in cyber security, has had staff and students records stolen in a data breach.

The breach was experienced by third party provider Blackbaud, a US firm which provides a customer relationship management service to York and other universities including the University of Leeds, which has also been affected by the ransomware attack.

Although the breach occurred in May, Blackbaud did not confirm the hack until 16 July, however in a statement they stated they’d paid the “cybcircriminal’s demands with confirmation that the copy they removed had been destroyed.”

Adding that no bank account or credit details were stolen in the hack and that “based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

The University of York has questioned why Blackbaud took so long to inform of the attack and has notified the Information Commissioners Office (ICO) about the breach.

In a statement the university confirmed it was conducting an investigation into the breach and that Blackbaud had confirmed “that no encrypted information, such as bank account details or passwords, was accessible and that that no credit card information formed part of the data theft.”

The university also reaffirmed that it takes its “data protection responsibilities very seriously”. The statement ended, “we very much regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.”

The University of Leeds has also confirmed that “names and email addresses for some members of our alumni and supporter community were affected” and added, “we are sorry for any distress or inconvenience caused by what is criminal activity against one of our service providers.”

It’s official statement added, “We have been working tirelessly to investigate what has happened, in order to accurately inform those affected. No action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant.”

The ICO is understood to now be “making enquiries” into the incident with both “Blackbaud and the respective [data] controllers”. In a statement it added that it would “encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually.”