Data breach at eight UK universities

Universities have been alerted to hackers accessing staff, student, alumni and supporters data in May

Eight UK universities have just learned of a ransomware attack on their personal data in May.

The attack by hackers on database services provider Blackbaud was only disclosed to clients on 16 July. Blackbaud said that it paid an undisclosed ransom and was confident the stolen data had been destroyed. Blackbaud is one of the world’s largest providers of customer relationship management systems for the higher education and not-for-profit sectors.

The stolen data included that of staff, students, and financial supporters including alumni.

The affected universities are:

  • Newcastle University
  • Oxford Brookes University
  • Loughborough University
  • University College, Oxford
  • University of Exeter
  • University of Leeds
  • University of London
  • University of Reading
  • University of York

In a statement on the University of Reading’s website yesterday (23 July), chief strategy officer and university secretary Dr Richard Messer said:

“It is important to note that no sensitive financial information was involved, such as bank account, credit card details, or passwords. Where we do hold such information, it is held in a secure encoded form, and this has not been affected by this incident.

“However, a range of other personal information was accessed. Our database holds information about our alumni and supporters, and while many records are only partial, they can include details of dates of birth, contact information such as phone numbers, demographic information, and a history of relationships with the University, such as when people studied here, donation dates and amounts, and events organised by the University or Business School that people may have registered for or attended.

“We are reviewing options for enhanced security arrangements in-house so that alumni and supporters can be confident that when we contact them, or they contact us, we can securely confirm their identity.”

Newcastle University’s registrar, John Hogan, revealed that the university had been involved in the data breach on Tuesday 28 July. “The university is managing this incident in accordance with its data security procedures and we have written to the Information Commissioner’s Office (ICO) to notify them of this incident. Colleagues from across the university are working with Blackbaud to assess and minimise the impact of this incident, as well as working to avoid future exposure,” Mr Hogan said in a statement.

A number of universities in the US and Canada were also hacked, along with a charity and an NGO.

You might also like: Roundtable: Safe and secure

Leave a Reply

Send an Invite...

Would you like to share this event with your friends and colleagues?


Fireside Chats - Presented by:


Student experience, quality enhancement, accessibility and inclusion

Wednesday, September 29, 12PM (BST)