"A recent data security breach involved information on alumni, donors and other related groups from the University of Auckland," alumni (ex-students) were told in an email from the university this afternoon.
"Although the encrypted data included contact details and dates of birth as well as information regarding donations and engagement with the University, it did not include passwords or credit card details," the email said.
The Auckland University alumni and donor data was stored with the Nasdaq-listed Blackbaud, a company that specialises in working with non-profits, including churches (making it the only major competitor, in that religious market with NZ's Pushpay).
Security experts often caution about the likes of dates-of-birth being stolen, because such information can be used for security questions to get a password changed. The university says the data was "encrypted upon theft" meaning the criminals could not read it.
Privacy Commissioner John Edwards said the breach had been reported to his office.
The attack was detected in May. Why did it take until today for alumni to be notified?
"Blackbaud only notified us last week, but were aware of the breach earlier," a spokeswoman told the Herald. "They have been monitoring for an appearance of the ransomed data on the 'darkweb' since May and have not detected any cases of it being sold or used."
Ths university says it had some 250,000 database entries on Blackbaud.
Notably, Blackbaud said in a statement that it paid the ransomware attackers.
NZ Police and Crown cybercrime agency Cert NZ recommend that those hit by ransomware do not pay. Data may not be unencrypted or returned as promised, and the proceeds often go to criminal gangs, helping to sustain operations in other areas such as drug and human trafficking. Copies of data might not be destroyed, but instead used for blackmail, and returned data can be booby-trapped to allow future access to an organisation's network, Cert NZ deputy director Declan Ingram recently told the Herald.
"In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team - together with independent forensics experts and law enforcement - successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system," Blackbaud's statement says.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
No dollar-figure is given, but ransomware attackers in other high-profile incidents, including the TravelEx hack in January (where no money was paid) have demanded sums around the US$5m mark from corporate targets.
Blackbaud's statement continues: "Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."
An update to the Privacy Act, which will come into force on December 1, will make it mandatory for organisations in NZ - or that do business with New Zealanders - to report any data breach.