A data breach of the University of York has affected staff, alumni, students, and extended networks and supporters. The breach is believed to be a result of an attack against the third-party service provider, Blackbaud, that the university uses to manage its customer relationship management services. A copy of a subset of data was taken from Blackbaud’s self-hosted environment in May of 2020 and although they state that no ransomware was deployed, they still paid a ransom. A statement from the company read, “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.” They believe no credit card information, account details, or user account credentials were accessed. The data that was accessed included names, titles, genders, dates of birth, student numbers, phone numbers, email addresses, physical addresses, and LinkedIn profile records. Additionally, course information, qualifications received, details surrounding extracurricular activities, professions, employers, survey responses, documented alumni and fundraising activities may have also been included. The University of York was alerted to the breach the same day that Blackbaud released their public statement disclosing the situation. York decided to begin their own investigation due to the fact that even though a ransom was paid, there’s no guarantee that the information won’t be used for malicious purposes.
When dealing with third-party service providers, it is important to know how much information they have access to. It is important to assess the provider’s security program regularly and be willing to ask questions. Affected parties should be on the lookout for targeted phishing campaigns that may be carried out due to the amount of information that was accessed.