Blackbaud Breach Alert!

Cybersecurity, Third Party Risk Management
by Bill Deller
share with a colleague Download PDF

Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software, recently disclosed that they were a victim of a ransomware attack that occurred in May 2020. The breach has affected educational institutions and nonprofits throughout North America and the UK, at least.

According to Blackbaud, the cybercriminals exfiltrated "a copy of a subset of data" from Blackbaud's self-hosted environment, which did not include passwords, cardholder data, bank account info, SSNs, or their solutions in public cloud environments. However, the following data elements may have been accessed by the malicious actors:

  • Contact info such as name, address, phone number, email
  • Gender, DOB, student number
  • Record of event and fundraising activities including donations, event participation, etc.
  • Employer information

This marks the second incident in 2020 that a major provider to the nonprofit sector was hacked.

On the Hot Seat

Blackbaud has been highly criticized for their handling of the incident. Affected parties of the breach were not notified until July 2020, weeks after the attack was initially identified in May 2020 (If you're interested in the potential data breach notification law implications, check out this comprehensive Breach Law Library). Additionally, Blackbaud paid an undisclosed amount of Bitcoin to the cybercriminals, without considering input from their customers. While most in the cybersecurity community are not so trusting of hardened criminals, Blackbaud has publicly expressed their optimism that the cybercriminals destroyed the data and/or won’t misuse, disseminate or make the data publicly available:

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed… as a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” a Blackbaud spokesperson said.

What Should You Do Next?

Blackbaud has not publicly revealed the scale of the breach, exactly what data elements were accessed, the amount of ransom that was paid, why they took weeks to notify affected parties, or any further technical details on how the cybercriminals spread the ransomware. If your organization uses any of Blackbaud’s self-hosted software (namely Altru, Financial Edge NXT, NetCommunity, or Raiser’s Edge NXT), you should perform additional investigative procedures to get answers to these questions and determine whether your organization or any of your constituents were implicated in the breach. You may need to review your contract with Blackbaud to determine if your organization has the right to audit clause or a clause surrounding data breach notification from Blackbaud.

Now is also as good of a time as any to consult your incident response plan, third party risk management program, and cyber insurance coverage. This incident certainly highlights the need for organizations to exercise detailed cybersecurity due diligence over their critical vendors. At a minimum, a certified professional in cybersecurity should review the organizations SOC report, or other third party security attestation reports. Lest we forget, you can outsource services, but you cannot outsource risk.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected]

In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
Cybersecurity, IT Risk Advisory, Risk Advisory/Internal Audit BY Nathan Shepler
8 Key Considerations When Reviewing User Access
read more >
Cybersecurity, IT Risk Advisory BY Madeline Adamczyk
Allegheny County Marriage License Data Leak May Affect Recent Newlyweds
read more >
Cybersecurity, Health Care BY Daniel Hooven
$1 Billion a Day: Unpacking the Financial Aftershock of the Change Healthcare Cyber-Attack
read more >
Cybersecurity, IT Risk Advisory, Retail BY Madeline Adamczyk
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
read more >
Cybersecurity BY Nicholas DeLuca
Six-Figure Ransomware Attack Hits Washington County, PA
read more >
Cybersecurity BY Daniel Hooven
Romance Scams: Guarding Your Heart and Wallet
read more >
Register to receive our weekly newsletter with our most recent columns and insights.
subscribe for updates
most recent
Investment Corner with Jason & Sean: U.S. Small Cap Equities
Wealth Management
By Jason Staley | 4.23.2024

Learn more about the comprehensive history of technology and how it has directly shaped the realm of investing. ...

read more
most popular
Dynamics 365 Business Central 2024 Release Wave 1: Top 5 Features
Consulting, Digital & Technology
By Michael Scalamogna | 4.23.2024

Learn more about the top five new artificial intelligence features of wave one of the 2024 release of Dynamics 365 Business Central. ...

read more
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh
Columbus
Metropolitan Washington
Image of Prime Global Logo
follow us client portal

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×
Accept