University of Leeds second in Yorkshire to confirm Blackbaud ransomware breach

The University of Leeds is the latest Yorkshire education institution to confirm that details of its alumni may have been breached after a data hack.

The University of Leeds' Parkinson Building. Picture: Tony Johnson.

Blackbaud, which provides software services to higher education institutions, has paid a ransom after it was targeted by cybercriminals in May.

It notified the universities last Thursday, which has led to institutions breaking the news to their associated members this week.

Sign up to our daily newsletter

The i newsletter cut through the noise

The Yorkshire Post reported yesterday that the University of York has been a victim of the breach.

The University of Leeds today emerged as a second in the region to have suffered a breach and alumna Chloe Roche said the incident is "really distressing".

The university is working with the company to find out exactly what personal data was compromised but said it "appears that names and email addresses for some members of our alumni and supporter community were affected", whereas details of the University of York's students and staff were also potentially exposed.

Information on the sums given as gifts or event payments through the alumni web portal, Leeds Alumni Online, may also have been affected, although not any bank account or credit card details.

The incident is believed to have affected a number of UK and USA healthcare, educational and not-for-profit organisations.

In the email, the university's director of development Michelle Calvert said: "We understand that this news may cause you some concern and we are sorry for any distress or inconvenience caused by what is criminal activity against one of our service providers.

"To stress again though, no bank account, credit card or password information was affected by the cyberattack.

"No action from you is required at this time, although in line with best practice, we recommend that you remain vigilant.

"Any suspicious activity or suspected identity theft should be reported promptly to the appropriate law enforcement authorities We are also on hand should you need any technical support or reassurance."

She said that it was continuing to work closely with Blackbaud to verify that all its data remains secure and was also seeking an explanation for the delay in the company informing them of this issue.

The Information Commissioner’s Office was sent a preliminary notification about this issue over the weekend, she added.

Former student Chloe Roche was told about the breach yesterday.

She said: “It’s really distressing to know that your personal data has been hacked and is in the hands of criminals.

"We have been notified that Blackbaud have paid a ransom for the hackers to destroy our private information, but I find that really disconcerting too.

“Ultimately, we’ve no way of knowing what has actually been done with our data and the idea that a company is being blackmailed for it makes me feel really uneasy. The potential for it to be sold or passed on also worries me so it’s very stressful.”

A University of Leeds spokesperson said: “We take the issue of data protection very seriously and are sorry for any concern caused to our alumni community and want to reassure them that, since being informed by Blackbaud of this incident, we have been working tirelessly to investigate what has happened, in order to accurately inform those affected.

“Blackbaud assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information, and no action is required by our alumni community at this time, although, as ever, we recommend that everyone remains vigilant.”

In its own statement, Blackbaud said that it "encounters millions of attacks each month".

It said: "After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.

"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.

"The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.

"Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."

Mark Montaldo, a director at CEL Solicitors, which specialises in data breach claims, said: “We’ve already spoken to former university students who are rightly concerned about what this data breach could mean for them.

"To know your personal data has been hacked by criminals is incredibly worrying and increasingly common as more and more data is stored online."