Blackbaud Breach Alert!

Blackbaud, one of the world's largest providers of education administration, fundraising, and financial management software, recently disclosed that they were a victim of a ransomware attack that occurred in May 2020. The breach has affected educational institutions and nonprofits throughout North America and the UK, at least.

According to Blackbaud, the cybercriminals exfiltrated "a copy of a subset of data" from Blackbaud's self-hosted environment, which did not include passwords, cardholder data, bank account info, SSNs, or their solutions in public cloud environments. However, the following data elements may have been accessed by the malicious actors:

  • Contact info such as name, address, phone number, email
  • Gender, DOB, student number
  • Record of event and fundraising activities including donations, event participation, etc.
  • Employer information

This marks the second incident in 2020 that a major provider to the nonprofit sector was hacked.

On the Hot Seat

Blackbaud has been highly criticized for their handling of the incident. Affected parties of the breach were not notified until July 2020, weeks after the attack was initially identified in May 2020 (If you're interested in the potential data breach notification law implications, check out this comprehensive Breach Law Library). Additionally, Blackbaud paid an undisclosed amount of Bitcoin to the cybercriminals, without considering input from their customers. While most in the cybersecurity community are not so trusting of hardened criminals, Blackbaud has publicly expressed their optimism that the cybercriminals destroyed the data and/or won’t misuse, disseminate or make the data publicly available:

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed… as a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” a Blackbaud spokesperson said.

What Should You Do Next?

Blackbaud has not publicly revealed the scale of the breach, exactly what data elements were accessed, the amount of ransom that was paid, why they took weeks to notify affected parties, or any further technical details on how the cybercriminals spread the ransomware. If your organization uses any of Blackbaud’s self-hosted software (namely Altru, Financial Edge NXT, NetCommunity, or Raiser’s Edge NXT), you should perform additional investigative procedures to get answers to these questions and determine whether your organization or any of your constituents were implicated in the breach. You may need to review your contract with Blackbaud to determine if your organization has the right to audit clause or a clause surrounding data breach notification from Blackbaud.

Now is also as good of a time as any to consult your incident response plan, third party risk management program, and cyber insurance coverage. This incident certainly highlights the need for organizations to exercise detailed cybersecurity due diligence over their critical vendors. At a minimum, a certified professional in cybersecurity should review the organizations SOC report, or other third party security attestation reports. Lest we forget, you can outsource services, but you cannot outsource risk.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected]

In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2023 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
SEC Charges SolarWinds and CISO Timothy Brown For Misleading Investors
Think Before You Click: Fake Browser Updates are Back in Style
Protect Your Manufacturers: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Students, Faculty and Staff: 3 Common Cyber Attack Methods to Watch Out for in 2023
Protect Your Retail Business: 3 Common Cyber Attack Methods to Watch Out for in 2023
Dumb Money: An Honest Review of the Film Adaptation of the GameStop Short Squeeze
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×