A ransom has been paid to hackers after personal details of staff and students at the University of York were stolen.
American firm Blackbaud, which manages the data for the university, confirmed it fell victim to a cyber attack.
The university has asked Blackbaud why it did not confirm the hack, which happened in May, until 16 July.
Blackbaud said “the cybercriminal was able to remove a copy of a subset of data from clients”, which includes York university.
It has assured the university that no bank account or credit details were stolen in the hack.
More stories across Yorkshire
Officials at the university said they were “working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.”
On 16 July, Blackbaud also notified the university that it had made the ransom payment.
The university has notified the Information Commissioner’s Office about the breach and said it was “awaiting further guidance”.
Details that were stolen include names, gender, dates of birth, addresses and contact details along with phone numbers and email addresses.
The hackers also had access to professional details of staff and students, including who they now work for.
The university said in a statement: “We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response.
“The third-party supplier, Blackbaud, has confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible.”
The Information Commissioner’s Office said: “People have the right to expect that organisations will handle their personal information securely and responsibly.
“The University of York has reported an incident to us and we will be making inquiries.”
Follow BBC Yorkshire on Facebook, Twitter and Instagram. Send your story ideas to firstname.lastname@example.org or send video here.