According to the university, Blackbaud, which provides its customer relationship management system, was hit by a ransomware attack in May 2020.
Information that was stolen included:
Mark Montaldo, who heads up the data breach team at CEL Solicitors, examines the cyber-attack at The University of York and explores some important issues it raises:
According to reports, Blackbaud was hit by the ransomware attack in May. However, they did not notify the university until 16th July. The university, in turn, notified those affected on the 21st July. The length of time it took to notify the individuals affected is worrying as a serious data breach requires immediate action.
Mark commented: “GDPR states that an organisation must report a notifiable breach to a supervisory authority (e.g. the ICO) within 72 hours after becoming aware of it, where feasible. It also states that if the breach is likely to adversely affect individuals’ rights and freedoms, companies must also inform those individuals without undue delay.
“In my professional opinion, having such private information in the hands of cybercriminals, who clearly stole it for financial gain, warranted the immediate notification of those impacted.”
The motive of the criminals in possession of the data appears to have been to hold Blackbaud to ransom. Blackbaud has since admitted that it paid the criminals an undisclosed amount in exchange for assurances that the data had been destroyed. This raises an important question: should companies pay ransoms to protect their customers’ data, and how can you be sure they will do what they promise, if the ransom is paid?
Mark added: “In my view, the practice of paying cyber ransoms can be very dangerous. Despite wanting to pay to help mitigate the impact of a data breach, companies need to be aware of the ramifications before engaging in this practice. Not only are you funding criminal organisations, but there is no guarantee that you’ll get your data back, or that it will be destroyed as promised. Paying a ransom could also result in your business being labelled a “soft target”, increasing the chances that a hacker will target you again in the future.”
Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.
Commenting on this, Mark said: “News reports have stated that the cybercriminals removed a copy of a subset of data from a number of Blackbaud’s clients, which included The University of York. We are yet to hear which other universities or businesses may have been impacted by the breach, but it will be interesting to see how far this cyberattack may extend.”
Concluding, Mark said: “One of the biggest concerns people now have is whether or not their data is safe online. We use the internet for almost everything we do and with the ever-increasing reliance on technology, more and more of our personal information is being stored online. It is important to remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities”.
We explore this topic in our blog:
For those at The University of York, we are calling for anyone who is worried that they may have been affected by the breach to contact us. We will then investigate whether their private details were part of the cyberattack and whether they could be entitled to compensation as a result.