Ransomware attack on Blackbaud leaks University of York students’ data


Third-party service provider for number of non-profit organizations, as well as University of York, was hacked

University of York data breach

University of York data breach

On July 21, the University of York disclosed alarming news to its students, alumni, and other related parties. According to the academic establishment, its third-party provider, Blackbaud, was involved in a cybersecurity incident, in which personal data of students, staff, and extended networks were stolen.

Blackbaud is a Charleston-based tech company that specializes in providing cloud computing services for numerous non-profit, educational, healthcare, and other organizations worldwide. The University of York was one of many institutions that were contacted by Blackbaud in mid-July. According to the third-party service provider, it suffered a ransomware attack in May 2020:[1]

On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020.

The University of York immediately began informing the affected students and staff and contacted the Information Commissioner’s Office (ICO) about the data breach.

No sensitive information, such as credit card details or passwords were accessed during the security incident

The University of York data breach was taken very seriously, as it began its forensic investigation soon after it received news from Blackbaud about the cybersecurity incident. The academic institution conducted its research and began comparing the data provided by the hacked third-party service provider.

According to the University’s findings, the involved parties include students, alumni, staff, extended networks, and supporters. It turned out that personal information that was accessed by malicious actors during the cyberattack included name, gender, date of birth, LinkedIn profiles, phone numbers, emails, professional details, and provided details about interests. The stolen database also included data about students who engaged in alumni and fundraising programs and information about what type of education/qualifications they acquired while studying at the university.

The University of York assured that no sensitive information, such as credit card details or passwords, were affected by the data breach, as such information was encrypted on the database. Despite this, the affected parties could suffer from serious privacy issues, and phishing/scam attempts with all the data that was collected by the criminals. In many cases, threat actors sell the stolen information for profits to the highest bidder on the dark web.[2]

Blackbaud paid attackers to make them delete stolen customer information

Blackbaud, who was affected by the cybersecurity incident back in May 2020,[3] claims that it detected and stopped the ransomware attack as soon as it was detected on its networks. The company began an immediate investigation with the help of its cybersecurity team as well as independent forensic investigators.

Blackbaud claims that the attackers attempted to lock the company out of its own systems, and security experts managed to prevent that from happening by kicking out malicious actors from its networks. Before the attackers were kicked out of the server, they managed to grab a copy of a subset of data that was hosted locally.

New high-profile ransomware strains (Maze,[4] DoppelPaymer, and many others) do not only encrypt data on the infected company networks but also extract the information in order to blackmail its owners later. Blackbaud agreed to pay the ransom so that the criminals would delete the copy of files that were obtained during the cyber intrusion:[5]

Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.