Cyber Incident Victim: University of Leeds

In July 2020, a ransomware attack targeted Blackbaud, a cloud computing provider serving educational institutions including the University of Leeds and at least eight other UK universities. The breach resulted in unauthorized access to confidential personal data belonging to students, staff, and institutional partners. Compromised information included names, dates of birth, physical addresses, phone numbers, and email addresses. Blackbaud notified affected universities of the incident during the summer of 2020, prompting the University of Leeds and others to initiate investigations. The universities determined that while data had been exfiltrated, no immediate remedial actions beyond standard security precautions were required for affected individuals. Notification processes were implemented to alert those potentially impacted by the breach.

Legal firm Simpson Millar subsequently announced investigations into potential GDPR violations by the universities, citing concerns from hundreds of affected individuals across nine institutions. The firm asserted that the universities failed to adequately protect personal data, constituting a breach of privacy rights under data protection regulations. Head of Professional Negligence Robert Godfrey characterized the incident as causing significant distress, with victims expressing anxiety about future targeting and requiring emotional support. The University of Leeds was specifically named among institutions facing potential legal claims for compensation related to emotional distress and privacy violations. While the University of Surrey publicly acknowledged its involvement and investigation timeline, no direct statements from the University of Leeds regarding their specific response measures were documented in the available source material. Blackbaud declined to provide commentary on the incident when approached.