Cyber Incident Victim: York University
Date:
Sep 2020
Location:
United Kingdom
Summary
A ransomware attack targeting Blackbaud, a cloud computing provider, compromised personal data of individuals associated with multiple UK universities including York University. The breach exposed confidential information such as names, dates of birth, addresses, phone numbers, and email addresses, potentially affecting hundreds across nine institutions. Legal proceedings were initiated against the universities for alleged failure to adequately protect data, with claims citing violations of GDPR and rights to privacy. Affected individuals expressed concerns over future targeting and emotional distress, while the institution maintained that normal security precautions sufficed and notified those potentially impacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In 2020, a ransomware attack targeted Blackbaud, a cloud computing provider serving educational institutions, compromising personal data of students, staff, and partners at multiple UK universities including the University of York. The breach exposed confidential information such as names, dates of birth, addresses, phone numbers, and email addresses. The incident prompted legal action against affected universities, with claimants alleging insufficient data protection measures under GDPR. Law firm Simpson Millar initiated investigations after hundreds of individuals from nine institutions expressed concerns, citing potential violations of privacy rights and entitlement to compensation for distress, anxiety about future targeting, and life disruption.
The University of Surrey confirmed its involvement among numerous affected institutions, launching an investigation upon Blackbaud's notification earlier that summer. Affected parties were notified, though the university advised no specific actions beyond routine online security precautions. Simpson Millar's Robert Godfrey emphasized the breach's scale and psychological impact, urging potential claimants to contact the firm. Blackbaud declined comment. Other impacted universities included South Wales, Cumbria, Leeds, Birmingham, Newcastle, Reading, Surrey, and King’s College London, with no individual university responses beyond Surrey’s statement documented in the report. Legal proceedings focused on institutional accountability for third-party vendor vulnerabilities.