Personal data belonging to former Maynooth University students, including their dates of birth, addresses and educational information, may have been stolen during a cybercriminal hacking attack last May.
The Kildare university's Development and Alumni Relations Office informed individuals who may have been affected by the breach by email last Thursday afternoon, and has apologised for the incident.
The Data Protection Commissioner has been informed of the incident. Maynooth University would not be drawn on how many alumni may have been affected by the hack.
A third-party service provider used by the university, US-based Blackbaud, which provides software to the education sector, informed MU on July 16 that it had been the victim of a ransomware attack in May, affecting records it manages for organisations worldwide. Ransomware is malicious software planted by criminals that infects and locks computers. The perpetrators demand a ransom before they allow the system to work again.
The hackers removed a copy of a backup file containing personal information including some Maynooth University data. Blackbaud paid the cybercriminals' demands, with confirmation that the stolen copy of the data had been destroyed.
"Based on the nature of their incident, their research and a third party (including law enforcement) investigation, Blackbaud do not believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly and are continuing to monitor this," said MU in the email to affected alumni.
The Maynooth University Development and Alumni Office uses Blackbaud systems to engage with past students and supporters. The Office said that it was notifying those affected after investigating the matter.
According to the university, the data accessed by the hacker may have contained names, dates of birth, addresses, email addresses, education and professional information such as the qualifications received and the profession of the alumnus. It may also have contained details of the graduate's engagement with the Development and Alumni Relations Office, such as whether they made donations or took part in events.
However, Blackbaud confirmed that the investigation found that no encrypted information, such as credit card or bank account details or passwords was accessed.
MU told alumni in their statement that there is no need for them to take any action. "We recommend you remain vigilant and report any suspicious activity or identity theft to the proper authorities.
"Please know that we take our data protection responsibilities very seriously. We assure you that we will continue to do everything we can to ensure the safety of your data. We will continue to work with Blackbaud to investigate this matter and take the advice from our Data Protection officer and information security team."
Maynooth University said it is reviewing its relationship with Blackbaud as a service provider, and is continuing to work with the tech company "to understand the steps they have taken to address this and what actions they will take to increase their security.
"We at Maynooth University sincerely apologise for this incident."