Cal State Northridge officials announce cyberattack
A hacker who was unsuccessful at attempting to place ransomware on a third-party software and cloud-hosting provider for Cal State Northridge was able to get some customer data, school officials said in a letter to students this week.
However, the third-party company, Blackbaud, said in a statement it paid a ransom to the hacker after the cybercriminal confirmed the stolen data had been deleted.
Still, school officials said they had “no way to independently verify that the stolen data was deleted,” and recommended students regularly review their account statements and periodically obtain a credit report.
Blackbaud discovered and stopped the ransom attack sometime in May, company officials said in a statement, but school officials said the hacker could have been trying to place ransomware on the network as early as February.
Ransomware is used in an attempt to disrupt a business by locking companies out of their own data and servers, Blackbaud’s statement said.
But while the hacker was unsuccessful, the suspect did manage to get a subset of data from Blackbaud’s self-hosted environment. More specific details were not disclosed.
“The cybercriminal did not access credit card information, bank account information or social security numbers,” Blackbaud said.
The customers affected were notified and supplied with information and resources, school officials said.
Blackbaud provides services for numerous Cal State University schools, according to the CSUN letter, but it wasn’t immediately known if others were at risk.
School officials said it was “troubling” that Blackbaud waited two months to notify them of the cyberattack.
The CSU system was working with Blackbaud to better understand what data was potentially exposed and what changes were being made to prevent another cyberattack, school officials said.
Blackbaud said it believes the data did not get passed on beyond the hacker. It wasn’t immediately known if the hacker had been identified or arrested.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” the company’s statement said.