Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software, recently disclosed that they were a victim of a ransomware attack that occurred in May 2020. The breach has affected educational institutions and nonprofits throughout North America and the UK, at least.
According to Blackbaud, the cybercriminals exfiltrated “a copy of a subset of data” from Blackbaud’s self-hosted environment, which did not include passwords, cardholder data, bank account info, SSNs, or their solutions in public cloud environments. However, the following data elements may have been accessed by the malicious actors:
- Contact info such as name, address, phone number, email
- Gender, DOB, student number
- Record of event and fundraising activities including donations, event participation, etc.
- Employer information
This marks the second incident in 2020 that a major provider to the nonprofit sector was hacked.
On the Hot Seat
Blackbaud has been highly criticized for their handling of the incident. Affected parties of the breach were not notified until July 2020, weeks after the attack was initially identified in May 2020 (If you’re interested in the potential data breach notification law implications, check out this comprehensive Breach Law Library). Additionally, Blackbaud paid an undisclosed amount of Bitcoin to the cybercriminals, without considering input from their customers. While most in the cybersecurity community are not so trusting of hardened criminals, Blackbaud has publicly expressed their optimism that the cybercriminals destroyed the data and/or won’t misuse, disseminate or make the data publicly available:
“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed… as a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” a Blackbaud spokesperson said.
What Should You Do Next?
Blackbaud has not publicly revealed the scale of the breach, exactly what data elements were accessed, the amount of ransom that was paid, why they took weeks to notify affected parties, or any further technical details on how the cybercriminals spread the ransomware. If your organization uses any of Blackbaud’s self-hosted software (namely Altru, Financial Edge NXT, NetCommunity, or Raiser’s Edge NXT), you should perform additional investigative procedures to get answers to these questions and determine whether your organization or any of your constituents were implicated in the breach. You may need to review your contract with Blackbaud to determine if your organization has the right to audit clause or a clause surrounding data breach notification from Blackbaud.
Now is also as good of a time as any to consult your incident response plan, third party risk management program, and cyber insurance coverage. This incident certainly highlights the need for organizations to exercise detailed cybersecurity due diligence over their critical vendors. At a minimum, a certified professional in cybersecurity should review the organizations SOC report, or other third party security attestation reports. Lest we forget, you can outsource services, but you cannot outsource risk.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident.