Menu
Browse

Cyber Incident Victim: University of York

Date:

Sep 2020

Location:

United Kingdom

Summary

A cyber attack on the cloud provider Blackbaud resulted in the unauthorized access of personal data belonging to students, staff and partners of several UK universities, including the University of York. The compromised information reportedly includes names, dates of birth, addresses, phone numbers and email addresses, prompting a law firm to investigate potential GDPR violations and consider legal action against the affected institutions. The University of Surrey, which was also named among the impacted universities, stated that it investigated the incident, notified those potentially affected and advised that no special measures beyond standard online security precautions were necessary.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

In the summer of 2020, the cloud computing provider Blackbaud experienced a ransomware attack that compromised data it held for a range of clients, including several UK universities. Confidential information including names, dates of birth, addresses, phone numbers and email addresses are thought to have been stolen by hackers in the attack. Among the institutions understood to be affected were the University of Surrey, the University of York, South Wales University, Cumbria University, Leeds University, Birmingham University, Newcastle University, Reading University, Surrey University and Kings College London. The breach raised immediate concerns about the potential exposure of personal data and possible violations of data protection legislation.

Cyber Incident Image

Following the disclosure, the law firm Simpson Millar announced it had begun investigations and was preparing legal proceedings after receiving concerns from hundreds of site users who feared their details had been leaked. Robert Godfrey, Head of Professional Negligence at Simpson Millar, described the breach as deeply concerning and a clear violation of GDPR and data protection rules, stating that anyone affected could have a valid claim for damages against the responsible institutions. He added that many individuals were anxious about being targeted at home or work in the future and would need support from family and friends during the ordeal. The firm noted that the incident had prompted approaches from individuals linked to nine UK universities, indicating a potentially large scale of impact.

A spokesperson for the University of Surrey said the institution had been informed of the incident by Blackbaud earlier in the summer, had launched a detailed investigation into the circumstances and had taken steps to notify those who may have been affected. The spokesperson added that inquiries had reassured them that individuals linked to the university did not need to take any specific actions beyond normal day‑to‑day online security precautions. While the University of York was listed among the affected institutions, the source material does not detail any specific investigative or notification actions taken by York itself. The incident remains recorded as a data breach affecting multiple universities via the Blackbaud compromise.

Sources
Sources available to members
1 source