The fallout continues Sunday after officials at California State University, Northridge announced it had indirectly paid ransom to hackers, who stole some of its data.
Students are now attempting to assess just how at risk they are, now that they have been notified that ransomware criminals broke into the CSUN network to lock users out of school servers.
Blackbaud, the South Carolina-based software and cloud company used by CSUN and other major universities, said its security defenses were breached between February and May 2020.
But the technology company claims credit card details, banking information and Social Security numbers were safeguarded during the cyber criminal offensive.
“Because protecting our customers’ data is our top priority, we paid the cyber criminal’s demand,” the company said in a statement. “We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cyber crime incident.”
Blackbaud discovered the incursion in May. It says it then tapped independent forensic experts and law enforcement as the company tried not to lose access to the system, while preventing the criminal element from fully encrypting files, an effort they said was successful.
Public-facing cloud infrastructure — such as Microsoft Azure and Amazon Web Services — was left untouched in the breach, company officials said.
Blackbaud said affected customers have been notified of the hack, and that it believes the ransomware attacker deleted the stolen data after it was paid an undisclosed amount to do so.
However, CSUN officials reminded students there is no way to know for sure whether the stolen data has actually been deleted.
“Blackbaud paid a ransom demand so the hackers would delete data they stole from its network,” the school said in a statement. “CSUN has no way to independently verify that the stolen data was deleted.”
Multiple California State University campuses, other universities, as well as global nonprofit organizations were also affected by the breach.
In a letter to students, Robert Gunsalus, the vice president for university relations and advancement, and Ranjit Philip, the interim vice president for information technology, said they have worked hard make sure students trust their information architecture.
“The campuses take privacy and information security very seriously, and protecting personal data and information is a top priority,” they wrote. “That is why it is troubling that Blackbaud waited so long to notify the CSU and other clients about the data incident that took place two months ago.”