Menu
Browse

Cyber Incident Victim: University of York

Date:

Sep 2020

Location:

United Kingdom

Summary

A ransomware attack on the cloud service Blackbaud resulted in the theft of personal data including names, dates of birth, addresses, phone numbers and email addresses from several UK universities, among them the University of York. The breach prompted law firm Simpson Millar to begin investigations and consider legal action for alleged GDPR violations, while the universities involved stated they had investigated the incident, notified potentially affected individuals and advised only standard online security precautions.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

In September 2020, reports emerged that a ransomware attack on the cloud computing provider Blackbaud had resulted in a data breach affecting several UK universities, including the University of York. The breach was said to have exposed personal information such as names, dates of birth, addresses, phone numbers and email addresses of students, staff and partners. The article notes that the attack occurred earlier in the summer of 2020 and that Blackbaud serves foundations, corporations and educational institutions among others. It is alleged that the compromised data may have been leaked online.

Cyber Incident Image

After being informed of the incident by Blackbaud earlier in the summer, the University of Surrey stated that it launched a detailed investigation into the circumstances and took action to ensure those who may have been affected were notified. A spokesperson for the university said that their inquiries reassured them that individuals linked to the institution did not need to take any specific actions beyond normal day‑to‑day online security precautions. Similar response steps were implied for the other affected universities, including the University of York, as they were among those where data held by Blackbaud was compromised.

The breach prompted the law firm Simpson Millar to begin investigations and legal proceedings after hundreds of site users expressed concern over the possible leak. Robert Godfrey, Head of Professional Negligence at Simpson Millar, described the breach as deeply concerning and a clear violation of GDPR and data protection rules, stating that affected individuals could have a valid claim for damages for distress, injury and disruption. He also noted that many people were anxious about being targeted at home or work and would need support from family and friends during the ordeal. Blackbaud declined to comment on the matter.

Sources
Sources available to members
1 source