The National University of Ireland, Galway confirmed that Blackbaud, a third party database service provider it uses to record engagement with members of the university community, was the target of a recent cyber attack.
The data breach did not affect current students and staff of the university, but rather its alumni, who were notified of the attack by the university in an email.
The university told alumni that the incident “may have involved a limited amount of your personal information, and while we have received assurances that your data was not and will not be misused, we are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant.”
Cybercriminal
The university said that upon discovering the attack, Blackbaud’s cyber security team, alongside forensics experts and law enforcement, prevented the cybercriminal from blocking their system access and fully encrypting files.
Though the cybercriminal was ultimately expelled from the system, they removed a copy of a backup file containing personal information before being locked out, including a subset of NUI Galway data.
Contact information including names, phone numbers, email address and mailing addresses were taken, however, financial information was not.
Blackbaud paid the cybercriminal’s demand, an undisclosed ransom, with confirmation that the copy they removed had been destroyed. The company does not believe any data went beyond the cybercriminal.
Ransom
NUI Galway said it was “not party to the decision to make this payment and only became aware of this payment after it had occurred.”
The university has apologised for the incident and launched its own investigation. It said it had informed the Data Protection Commission of the breach and is reviewing its relationship with Blackbaud.
Several universities and and other Blackbaud not-for-profit clients internationally were affected by the hack, which the company confirmed took place in May of this year in a statement on its website.
