Blackbaud Breach Alert!

Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software, recently disclosed that they were a victim of a ransomware attack that occurred in May 2020. The breach has affected educational institutions and nonprofits throughout North America and the UK, at least.

According to Blackbaud, the cybercriminals exfiltrated "a copy of a subset of data" from Blackbaud's self-hosted environment, which did not include passwords, cardholder data, bank account info, SSNs, or their solutions in public cloud environments. However, the following data elements may have been accessed by the malicious actors:

  • Contact info such as name, address, phone number, email
  • Gender, DOB, student number
  • Record of event and fundraising activities including donations, event participation, etc.
  • Employer information

This marks the second incident in 2020 that a major provider to the nonprofit sector was hacked.

On the Hot Seat

Blackbaud has been highly criticized for their handling of the incident. Affected parties of the breach were not notified until July 2020, weeks after the attack was initially identified in May 2020 (If you're interested in the potential data breach notification law implications, check out this comprehensive Breach Law Library). Additionally, Blackbaud paid an undisclosed amount of Bitcoin to the cybercriminals, without considering input from their customers. While most in the cybersecurity community are not so trusting of hardened criminals, Blackbaud has publicly expressed their optimism that the cybercriminals destroyed the data and/or won’t misuse, disseminate or make the data publicly available:

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed… as a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” a Blackbaud spokesperson said.

What Should You Do Next?

Blackbaud has not publicly revealed the scale of the breach, exactly what data elements were accessed, the amount of ransom that was paid, why they took weeks to notify affected parties, or any further technical details on how the cybercriminals spread the ransomware. If your organization uses any of Blackbaud’s self-hosted software (namely Altru, Financial Edge NXT, NetCommunity, or Raiser’s Edge NXT), you should perform additional investigative procedures to get answers to these questions and determine whether your organization or any of your constituents were implicated in the breach. You may need to review your contract with Blackbaud to determine if your organization has the right to audit clause or a clause surrounding data breach notification from Blackbaud.

Now is also as good of a time as any to consult your incident response plan, third party risk management program, and cyber insurance coverage. This incident certainly highlights the need for organizations to exercise detailed cybersecurity due diligence over their critical vendors. At a minimum, a certified professional in cybersecurity should review the organizations SOC report, or other third party security attestation reports. Lest we forget, you can outsource services, but you cannot outsource risk.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit us online or contact us.

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Evolving Cyber Threats of the New Normal
Cybersecurity Update: Twitter and Garmin
Garmin Hit with $10M Ransomware Attack
Charges Filed Against First American Title Insurance Company For Cybersecurity Lapse
Introducing redlure by Schneider Downs
Cybersecurity BY Bill Deller
Blackbaud Breach Alert!

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102