Blackbaud Security Incident

Blackbaud Security Incident

The cybercrime industry is as vast as it is costly, accounting for trillions of dollars in losses. This constantly growing industry poses a threat to companies around the world. 

In May of 2020, Blackbaud, a cloud software company experienced a ransomware attack. In a ransomware attack, the victim’s data is encrypted, and the victim must pay a ransom in order to have it decrypted. Blackbaud’s cybersecurity team partnered with independent forensic experts and law enforcement to quickly stop the attack before further damage was done. They were able to prevent the cyber criminal from blocking their system access and encrypting their files. 

Ransomware Response 

Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. 

However, before completely blocking off the cyber criminal access, the cyber criminal was able to remove a copy of a subset of data form their self-hosted environment. In some cases, the stolen data included phone numbers, donation history and events attended. The company stated that they paid the ransom with confirmation that the copy the cyber criminal removed has been destroyed. They concluded that based on the research and third-party investigation, no compromised data has been misused or disseminated by the cyber criminal. 

The company also noted that the cybercriminal did not access credit card information, bank account information, or social security numbers. Additionally, the incident did not involve solutions in their public cloud environment (Microsoft Azure, Amazon Web Services).  

Blackbaud’s Next Steps 

Blackbaud also discusses their cybersecurity practices and next steps following this incident. They are continuing to develop their substantial cybersecurity practice with a dedicated team of professionals. This includes following industry-standard best practices, conducting on-going risk assessments, and assessing their infrastructure as well. They have also teamed up with other experts in the Cyber Security community through membership in various Cyber Security organizations. This allows for sharing of best practices and tactical threat information throughout members in the community. 

Affected Customers 

Blackbaud had contacted customers who were part of the incident and supplied them with additional information and resources. It was estimated that about 12 of Blackbaud’s customers were affected by the security incident, including multiple universities and non-profit organizations. Affected organizations include: 

  • Loughborough University  
  • University of Leeds 
  • University of Reading  
  • University of Exeter  
  • University of York  
  • University College Oxford  
  • University of London  
  • Canada’s Ambrose University  
  • Rhode Island School of Design  
  • Human Rights Watch  
  • Young Minds  
  • West Virginia University (WVU) Foundation  

They’re all said to be in the process of contacting those affected by the breach. After being notified of the incident by Blackbaud, WVU Foundation immediately launched their own investigation. Like many of the other entities affected, WVU Foundation is trying to understand why there was a delay between the discovery of the breach and when Blackbaud notified affected entities.   

Privacy Law 

Under General Data Protection Regulation (GDPR), companies are required to report a significant data breach to authorities within 72 hours of learning of an incident. If they fail to report it within this time frame, they may face potential fines.  

Unfortunately, the UK’s Information Commissioner’s Office (ICO) and the Canadian data authorities were also informed about the breach weeks after Blackbaud had discovered it. This is concerning since many of the higher education institutions impacted are located in England, which falls under GDPR. Authorities are said to be in contact with Blackbaud about the incident.