Skip to content Accessibility statement

Blackbaud response

News

Posted on Tuesday 21 July 2020

Information relating to a data security incident with a third-party service provider of the University of York.

The information below relates to a data security incident with a third-party service provider of the University of York. We believe it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as University of York data. 

We take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are below, including the steps we have taken in response.

What happened

On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data. 

We use this system to record engagement with members of the University community, including alumni, staff and students, and extended networks and supporters. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud’s systems with members of our community today. 

What information was involved?

We would like to reassure our community that: 

  • a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts; 
  • Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible; 
  • Blackbaud also confirmed that no credit card information formed part of the data theft.

The data accessed by the cybercriminal may have contained some of the following information:

  • Basic details eg name, title, gender, date of birth and student number (if applicable);
  • Addresses and contact details eg phone, email and LinkedIn profile URL;
  • Course and educational attainment details, eg what qualification you received and some of the extracurricular opportunities you participated in while studying at York (if applicable);
  • A record of your engagement with alumni and fundraising activities eg enquiries, event participation, volunteering, donations, and any other interactions you have with us;
  • Professional details, eg the profession you work in and your employer;
  • Information about your interests you have provided to us eg in response to one of our surveys 

What are we doing about the situation

We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed.

However, we have immediately launched our own investigation and have taken the following steps:

  • We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant; 
  • We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance;
  • We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected;
  • We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.

There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

If anyone would like to contact a member of the University of York team, please contact alumni@york.ac.uk.

Steps we have taken in response

We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. We very much regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement. 

Explore more news

News

14 July 2026

BAFTA-winning actor, Suranne Jones; celebrated broadcaster and economist, Evan Davis; and pioneer of India’s IT industry, NR Narayana Murthy, are among eight distinguished figures to receive honorary degrees from the University of York in July.

News

9 July 2026

Nine out of 10 students at the University of York are satisfied with the academic support they receive, according to the results of the 2026 National Student Survey (NSS).

News

3 July 2026

Bears often get a bad reputation, but a new study shows that they might not be the species most often involved in human-wildlife interaction that can lead to conflicts in national parks.

News

1 July 2026

Predicting whether a company's profits will rise or fall has long been one of the most notoriously difficult tasks in finance. Corporate earnings underpin trillions of dollars in market valuation, yet traditional forecasting models are routinely upended by economic shocks, shifting consumer tastes, and unexpected corporate crises.

News

25 June 2026

The Scottish Child Payment (SCP) is successfully reducing child poverty and food insecurity, according to a new major study, featuring researchers from the University of York.

Read more news