The university has been caught up in a security breach at Blackbaud, a database management software company that holds information on alumni, donors and other groups at tertiary institutions and charities around the world.
In an email to alumni yesterday, deputy vice-chancellor Helen Nicholson said it was seeking clarification from Blackbaud if data from one file sent by the university to the United States in 2014 might have been affected.
The file contained information on a small number of alumni based in the United States at the time.
"We will be notifying affected people if it is confirmed that their details are involved," Prof Nicholson said.
The university had been advised no passwords, bank details or credit card details were included in the potential breach.
"Blackbaud has assured us that the breach has been contained and data are no longer at risk.
"However, our cybersecurity team is continuing to work with Blackbaud to confirm this."
The attack occurred in May.
"Although their cybersecurity measures intercepted the attack, the cybercriminal responsible was able to take copies of information belonging to a large number of universities and charities around the world.
"To protect the stolen data, Blackbaud negotiated and paid a ransom to the attacker in return for an assurance that the data would be destroyed and no copies of the data would be distributed or retained."
The university had informed the Office of the Privacy Commissioner of the breach, and alerted all alumni and donors.
"We are confident that the incident has been successfully resolved. However, we urge you to remain vigilant for any unusual activity."
Earlier this week, Auckland University reported a similar cyberattack. "To protect the stolen data, Blackbaud negotiated and paid a ransom to the attacker in return for an assurance that the data would be destroyed and no copies of the data would be distributed or retained," the university said.
IT Professionals New Zealand chief executive Paul Matthews told Radio New Zealand yesterday that Blackbaud was "quite rightly getting a reasonable amount of criticism" after waiting two months to inform people of the breach.