Cyber Incident Victim: Aberystwyth University

In May 2020, Aberystwyth University became a victim of a global ransomware attack targeting Blackbaud, a US-based provider of alumni and supporter management systems. The breach compromised a university web portal and information management system used for alumni and supporter engagement. Blackbaud suffered the ransomware intrusion in May but delayed public disclosure until July 2020. The attackers exfiltrated data from Blackbaud's systems before deploying ransomware encryption. Aberystwyth University confirmed the incident affected its alumni and supporter data but emphasized no student information was accessed. The institution stated no bank account details or credit card information were stolen during the attack. Approximately 10,000 students attended the university annually, but current student records remained unaffected according to the university's assessment.

Blackbaud paid an undisclosed ransom to the attackers despite law enforcement advisories against such payments, claiming to have received confirmation that stolen data was destroyed. Aberystwyth University launched an urgent investigation upon notification and reported the breach to the UK Information Commissioner's Office, pledging full cooperation. The university publicly reassured stakeholders that the compromised data involved only alumni and financial supporters, not operational or academic records. Other UK institutions including the University of York and University of London were similarly affected by the same Blackbaud breach. Aberystwyth maintained there was no evidence of misuse of the stolen data and accepted Blackbaud's assurances regarding data destruction. The incident highlighted third-party risks as the attack originated through Blackbaud's infrastructure rather than the university's direct systems.