Posted on 21 July 2020
The information below relates to a data security incident with a third-party service provider of the University of York. We believe it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as University of York data.
We take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are below, including the steps we have taken in response.
On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data.
We use this system to record engagement with members of the University community, including alumni, staff and students, and extended networks and supporters. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud’s systems with members of our community today.
We would like to reassure our community that:
The data accessed by the cybercriminal may have contained some of the following information:
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed.
However, we have immediately launched our own investigation and have taken the following steps:
There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
If anyone would like to contact a member of the University of York team, please contact email@example.com. To speak to somebody directly, call us on +44 (0)1904 221889 on on Tuesday 21 July (10am-5pm BST), Wednesday 22 July (10am-5pm BST) or Friday 24 July (10am-4pm BST).
We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. We very much regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.