Staff and Students at the University of York Face a Data Breach That Leaked Many Personal Details

University of York's Third-Party Data Breach

On Tuesday, The University of York posted a notification on its website with which it informed staff, students, and alumni that their data may have been breached. The incident happened in May, and it involved personal details like names and dates of birth, contact information like phones, email addresses, and LinkedIn profiles, as well as quite a lot of data related to the victims' academic activities.

The number of affected individuals remains unknown, but the University of York assured us that no credit card information was stolen during the breach. Even so, the potential for identity theft is very real for the people involved, and the only thing they can rely on to protect them is the cybercriminals' honesty.

The breach happened at a third party

University of York's IT systems were never compromised. The attack was aimed at a partner of the university called Blackbaud. Blackbaud is a provider of Customer Relationship Management (CRM) solutions to academic and not-for-profit organizations, and on July 16, it issued a public statement on the breach.

The CRM provider announced that in May, it got hit by a ransomware attack, and it then went on to explain how it reacted. Apparently, Blackbaud detected the intrusion quickly, and with the help of cybersecurity specialists, it managed to kick the attackers out. Despite the lightning reactions, the crooks managed to make off with some data, including the personal and contact details of University of York students and staff.

Blackbaud paid the ransom

Blackbaud started its notification with an explanation of how big the cybercrime industry is, and it then proceeded to tell us how it did its little thing to support it. Thanks to Blackbaud's quick reaction, the hackers failed to encrypt any files. They did have the stolen data with them, however, and, naturally enough, they decided to use it as leverage for extortion.

As it turns out, this was a good idea. Blackbaud admitted in its notification that it paid a ransom of an unspecified amount.

Was paying the ransom such a good idea?

On the face of it, paying the ransom is a very noble thing to do. In effect, the CRM provider deprives itself of some of its hard-earned profits in order to ensure that its customers' data doesn't get misused.

Unfortunately, there can be no assurance that the data is actually safe. According to Blackbaud, after the ransom was paid, the cybercriminals provided "a confirmation" that the copy of the data they had stolen was deleted. Unfortunately, both Blackbaud and the people whose data was compromised have no other choice but to take the crooks' word for it. Given that we're talking about a group of ruthless cybercriminals, it's difficult to trust them, which is why the University of York's students, staff, and alumni are still advised to be on the lookout for any signs of identity theft.

July 23, 2020

Leave a Reply