Auckland University has been hit a cyber attack targeting information about alumni, donors and other groups at the university.
In a notice to alumni members today, the university said it had been informed by Blackbaud, the world's largest provide of not-for-profit database management software, of the recent data security breach.
"To protect the stolen data Blackbaud negotiated and paid a ransom to the attacker in return for an assurance that the data would be destroyed and no copies of the data would be distributed or retained.
• Auckland University inches up global rankings but Waikato takes a tumble
• Covid 19 coronavirus: Auckland Uni to stay online until mid-year
• Covid 19 coronavirus: University of Auckland may move hall residents to accommodate international students
• Covid 19 coronavirus: University of Auckland asks contract staff to work for no pay
"We believe the situation has been resolved, and that you do not need to take any action in response to this incident," said the notice from Professor Jenny Dixon, deputy vice-chancellor, strategic engagement.
A university spokeswoman said the university was not a party to the ransom payment, saying the size of the ransom was not disclosed by Blackbaud.
The university said that in May this year Blackbaud was the victim of a cyberattack that attempted to encrypt their systems.
"Although their cybersecurity measures intercepted the attack, the cybercriminal responsible was able to take copies of information belonging to a large number of universities and charities around the world.
"We understand that this included information from the University of Auckland. Although the encrypted data included contact details and dates of birth as well as information regarding donations and engagement with the University, it did not include passwords or credit card details," the notice said.
The university spokeswoman said it had received a reassurance from Blackbaud the data was safe, saying the company is listed on the US Stock Exchange.
"The organisation worked with federal law enforcement and third party experts familiar with this kind of attack. They have been advised that the criminal can be trusted in their statement that the data was destroyed because it is in their interest to do so – there is greater value in the next ransom they demand from another company than the data itself," the spokeswoman said.
The university said when it was alerted to the breach, it took steps to assess the impact on the individuals affected and the likelihood of harm.
It has also informed the Office of the Privacy Commissioner about the data breach, all alumni, donors and other affected groups.
Information has also been posted on the university's main public website