(August 24, 2020) In late July, scores of Canadian charities received notification of a global Blackbaud data breach involving its Raiser’s Edge and NetCommunity products.
The stolen data could have included donor information charities routinely keep on their databases, such as a donor’s name, age, address, phone number, spouse’s identity, employer, estimated wealth and identified assets, total number and value of past donations, giving history to other charities, likelihood to make a bequest upon their death, events attended and friend connections, according to reports by the BBC. Credit card and other payment details do not appear to have been exposed.
Blackbaud, a publicly-traded company, operates a platform used by thousands of charities to keep records on donors. It calls itself “the world’s leading software company powering social good,” and says its platform is used by 80% of the most influential nonprofits in the world. The Blackbaud data breach impacted charities worldwide.
Yet it was two months after the initial breach that Blackbaud notified its users,:
“In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers.
“… we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
The BBC has led media coverage of Blackbaud data breach. In a piece published on July 31, 2020, it had identified more than 40 UK educational institutions affected by the Blackbaud data breach. Scores more charities have been affected in the U.S, such as American Civil Liberties Union (ACLU), New York, Boy Scouts of America, Human Rights Watch and Harvard University.
By August 13, 2020, the BBC reported that, “the UK Information Commissioner’s Office has so far received 166 cases as part of its ongoing investigation into the incident.”
Coveware, a U.S.-based company that works in the cyber vulnerabilities market and runs a ransomware incident response platform, reported in its recent Ransomware Marketplace Research report that the average ransom payment increased 33% (USD $111,605) in Q1 of 2020 from Q4 of 2019. although a single large organization can have a may have a one million dollar ransom demand. It reports that the number of public sector organizations experiencing a have jumped in prevalence. Ransom is typically paid in Bitcoin.
In Canada, The Charity Report’s own research reveals dozens of charities, large and small, have been impacted by the Blackbaud data breach including:
Ambrose University, Calgary
Alzheimer Society of Nova Scotia
Bishop Strachan School, Toronto
BC Cancer Foundation
BCIT Foundation, Burnaby
Canada’s National Ballet School
Evangelical Fellowship of Canada
Food Banks Canada
Girls Inc. of Durham
Habitat for Humanity Canada
Heart and Stroke Foundation
North York Harvest Food Bank, Toronto
QEII Foundation, Halifax
Ronald McDonald House Charities Atlantic, Halfax
Saint-Boniface Hospital Foundation, Manitoba
St. Lawrence College, Brockville
Trent University, Peterborough
University of Regina
University of Toronto
“The incident emerged as NGOs face a funding crunch due to COVID-19 and need to “pump” private donors who can still afford to help more than ever,” according to The New Humanitarian, which details the number of international NGOs affected by the Blackbaud data breach globally.
Technology specialists have criticized Blackbaud’s response. Troy Hunt, creator of @haveibeenpwned, a platform where you can check to see if you have an email address or password that has been compromised in a data breach, mocked Blackbaud's trust in their cyberattacker.
Cath Goulding, chief information security officer at cyber-security firm Nominet told the BBC that, “it is worrying that the supplier paid the ransom as, arguably, this encourages future attacks and doesn't overcome the fact that data has been compromised. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise."
Bank Info Security (Euro Security Watch’s) Matthew J. Schwartz referred to Blackbaud’s response to the data breach “bizarre” saying "the entire first paragraph [of their statement] is dedicated to normalizing hacking,"
"The cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time - a threat to all companies around the world," it begins. "Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert cybersecurity team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry."
Schwartz’s article asks several other questions to which we currently don’t have answers, such as why Blackbaud customers weren’t notified about the breach until July 16, how many organizations were impacted, why Blackbaud would trust the cyber attackers, is its cyber security good enough and has it painted a target on its back by paying the ransom?
Senior staff at Blackbaud spoke with The NonProfit Times "with the agreement they would only be identified as spokespeople and that only comments from Todd Lant, chief information officer [for Blackbaud], be directly attributable."
In article published on August 6, 2020, the unnamed officials said the first time anyone at Blackbaud knew there was a problem was May 14 when there was a suspicious log-in on an internal server.
Apparently, the attackers “continued to contact Blackbaud with the Bitcoin ransom demand and provided on June 18 what was purported to be a statement of involved files … [and] it took until July 9 to develop enough certainty on information exposed and customers involved that it could work toward notifications by July 9. Customer notifications were made on July 16.
“Between July 9 and July 16, our teams were working around the clock to prepare contact data, author customized, scenario specific communications for each customer that was part of the incident.”
“We value every social good organization that is part of the Blackbaud family, and we sincerely apologize to our customers for the disruption this caused," Todd Lant was quoted as saying. "Our cybersecurity team stopped this sophisticated ransomware attack before the criminal could lock down our network..."
“What I believe is happening is that Blackbaud is trying to classify the event as not being a data breach – based on the premise that they paid the ransom and got a pinky swear that the cybercriminal got rid of the data and did not share it,” according to Phil Hill, co-founder of MindWire. “Instead, Blackbaud is trying to present this as a successful prevention of a ransomware attack, noting that they “successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.”
The timing of the breach was bad for charities affected because it had the potential to erode donor trust just as charities needed donor support amid the coronavirus pandemic. But it was also inopportune because of an upcoming call to report second quarter earnings to Blackbaud shareholders.
“In the company’s Q2 earnings call with investors, Blackbaud did not even mention the security incident in the prepared remarks,” Hill says, and only when pressed by analysts did CEO Michael Gianoni speak and he did so “in terms of ransomware not in terms of data loss.”
“I’d like to just apologize on behalf of Blackbaud for the incident,” a recording of the call indicates. “Over the last five years, we’ve made significant investments to build a modern cyber security practice significant. And we follow industry best practices, we conduct ongoing risk assessments and simulations, we aggressively test security of our solutions and our infrastructure, including with several third-party experts that come in, which is the best practice.”
The Blackbaud data breach didn’t appear to create a drop in its share price.
“Three hours after the start of trading [on July 30] … Blackbaud stock was up more than 15%,” wrote Hill.
Lawyers at the Canadian law firm Miller Thompson law firm, which has a speciality in charity law, posted a July 17, 2020 blog advising charities in the wake of the Blackbaud data breach,
“If your organization was affected, you should take the following steps,” wrote lawyers Nicole K. D’Aoust and David Krebs. “1) understand the contents of the notification and obtain clarification from Blackbaud if you do not; 2) understand the nature of the information at issue, whether any personal information was at risk, and assess your organization’s legal requirements as an entity “in control” of the information that was breached; and 3) assess whether your organization has a legal or other obligation to notify any individuals, including donors, or other affected individuals of the breach.
“Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.”
The full extent of the Blackbaud data breach is still unknown.