The university yesterday said that it was contacted last Thursday by a third-party service provider, Blackbaud, a major provider of customer relationship management systems for not-for-profit organisations and the higher education sector, to say that it had been the victim of a ransomware attack in May this year.
Blackbaud paid a ransom, said the university, and has "received assurances from the cybercriminal that the data had been destroyed".
The incident is believed to have affected a number of UK and USA healthcare, educational and not-for-profit organisations.
The culprit was able to remove a copy of a subset of data from a number of the company's clients, including University of York, an email sent to the North Yorkshire institution's members reveals.
The Heslington-based university uses the system to record "engagement" with people including alumni, staff and students, as well as "extended networks" and supporters.
An investigation by Blackbaud has found that no encrypted information such as bank account details or passwords has been compromised, according to the university.
No credit card details were stolen either, the company said.
But details which may have been accessed include: a member's name, title, gender, date of birth and student number; addresses and contact details such as phone number, email and LinkedIn profile URL; course and educational attainment details such as what qualification a person has received and some of the extracurricular opportunities they participated in while studying at York.
Other details which may have been exposed include: a record of a person's engagement with alumni and fundraising activities such as enquiries, event participation, volunteering, donations; a person's profession and their employer; and information about interests people have provided to the university, such as a response to one of its surveys.
Ransomware is a type of malware which a criminal uses to publish or block access the victim's data unless a ransom is paid.
In an email to members, Jo Horsburgh, the University of York registrar and secretary, said: "We are writing to inform you about a data security incident with a third-party service provider of the University of York. We believe it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as University of York data.
"We have been told that this may have involved your personal information, as the data includes a record of the University's engagement with members of its community and extended networks.
"There is no need for you to take any action at this time. The University of York takes its data protection responsibilities very seriously and we are therefore contacting you to explain the incident, what information was involved and the steps we have taken in response."
She added: "We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand.
"Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed."
The university said that it has immediately launched its own investigation and notified affected parties so they can be vigilant.
It has also informed the Information Commissioner’s Office (ICO) of the breach and is awaiting further guidance.
The university is also taking steps to find out how many other parties in the higher education and the wider not-for-profit sector have been affected.
It is also "working with Blackbaud to understand why there was a delay between them finding the breach and notifying us", as well as what actions the company has taken to increase its security.
Members have been told that there is "no need" for them to take any action at the moment but advised people to remain vigilant and promptly report any suspicious activity or suspected identity theft to the relevant authorities.
A University of York spokesperson said: “We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response.
"The third-party supplier, Blackbaud, has confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible. Under our GDPR obligations we have made a formal report to the Information Commissioner’s Office.
"There is no need for our community to take any action at this time - as a best practice, we recommend people remain vigilant.”
In its own statement, Blackbaud said that it "encounters millions of attacks each month".
It said: "After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.
"The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
"Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."