Cyber Incident Victim: Maynooth University
Date:
May 2020
Location:
Ireland
Summary
Maynooth University suffered a data breach when cybercriminals compromised its third-party service provider Blackbaud, stealing a backup file containing personal information. The attackers exfiltrated student and alumni data including names, birthdates, addresses, and academic qualifications before being expelled, though no financial details or passwords were accessed. Blackbaud paid a ransom for the stolen data's purported destruction, claiming no evidence of misuse or dissemination. The university launched its own investigation, notified affected individuals and regulators, and initiated a review of its relationship with the provider while advising vigilance against potential identity theft. Multiple institutions were impacted by the same ransomware attack targeting Blackbaud's systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, a ransomware attack targeted Blackbaud, a cloud management and software provider serving multiple third-level institutions including Maynooth University. The cybercriminal gained access to Blackbaud’s systems and exfiltrated a copy of a backup file containing a subset of Maynooth University data before being expelled by Blackbaud’s cybersecurity team, which worked with independent forensic experts and law enforcement to prevent full system encryption. Blackbaud paid the ransom demand after receiving assurances from the attacker that the stolen data copy had been destroyed, though the company did not initially disclose affected client institutions. Maynooth University was notified of the breach by Blackbaud on 16 July 2020, nearly two months after the initial attack. The university subsequently launched its own investigation, determining that compromised data included names, dates of birth, addresses, and academic qualifications of students and alumni, but found no evidence that financial information such as credit card details, bank data, or passwords were accessed.
Maynooth University formally notified affected individuals via a letter in September 2020, advising them to remain vigilant against identity theft but stating no specific remedial actions were required. The institution reported the breach to Ireland’s Data Protection Commissioner and initiated a review of its contractual relationship with Blackbaud as a service provider. Blackbaud maintained that the stolen data had not been disseminated or misused based on its internal investigations and law enforcement collaboration, though the incident impacted multiple organizations globally, including Ireland’s National University of Galway (NUIG), which had issued similar reassurances to its stakeholders in July. The university issued a public apology for the incident but declined immediate further comment when contacted by media. No technical details regarding attack vectors, malware variants, or the identity of threat actors were disclosed in available communications.