• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • About The Charity Report
    • Editorial
    • The Charity Report: Frequently Asked Questions
  • Bespoke Research About Charities
  • Contact The Charity Report
  • Log In

The Charity Report

... creating a space that gets people talking

Shop Intelligence Reports
  • Photo Essay
  • Reports and Features
  • News
  • Headlines
  • Literary Circle
    • Literary Circle Review Panel
  • Book Shop
  • TalkingUP Podcast

Blackbaud Data Breach: The impact on Canadian charities and what we still don’t know

Blackbaud headquarters in Charleston, South Carolina

(August 24, 2020) In late July, scores of Canadian charities received notification of a global Blackbaud data breach involving its Raiser’s Edge and NetCommunity products. 

The stolen data could have included donor information charities routinely keep on their databases, such as a donor’s name, age, address, phone number, spouse’s identity, employer, estimated wealth and identified assets, total number and value of past donations, giving history to other charities, likelihood to make a bequest upon their death, events attended and friend connections, according to reports by the BBC. Credit card and other payment details do not appear to have been exposed.

Blackbaud, a publicly-traded company, operates a platform used by thousands of charities to keep records on donors. It calls itself “the world’s leading software company powering social good,” and says its platform is used by 80% of the most influential nonprofits in the world.  The Blackbaud data breach impacted charities worldwide.  

Yet it was two months after the initial breach that Blackbaud notified its users,:

“In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers.

“… we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

The BBC has led media coverage of Blackbaud data breach. In a piece published on July 31, 2020, it had identified more than 40 UK educational institutions affected by the Blackbaud data breach.  Scores more charities have been affected in the U.S, such as American Civil Liberties Union (ACLU), New York, Boy Scouts of America, Human Rights Watch and Harvard University.

By August 13, 2020, the BBC reported that, “the UK Information Commissioner’s Office has so far received 166 cases as part of its ongoing investigation into the incident.”

Coveware, a U.S.-based company that works in the cyber vulnerabilities market and runs a ransomware incident response platform, reported in its recent Ransomware Marketplace Research report that the average ransom payment increased 33% (USD $111,605) in Q1 of 2020 from Q4 of 2019. although a single large organization can have a may have a one million dollar ransom demand. It reports that the number of public sector organizations experiencing a have jumped in prevalence. Ransom is typically paid in Bitcoin.

In Canada, The Charity Report’s own research reveals dozens of charities, large and small, have been impacted by the Blackbaud data breach including: 

Ambrose University, Calgary

Alzheimer Society of Nova Scotia

Bishop Strachan School, Toronto

BC Cancer Foundation 

BCIT Foundation, Burnaby

CAMH, Toronto

Canada’s National Ballet School 

CARE Canada 

Crossroads International

Evangelical Fellowship of Canada

Food Banks Canada 

Girls Inc. of Durham

Habitat for Humanity Canada

Heart and Stroke Foundation 

MEDA, Waterloo

North York Harvest Food Bank, Toronto

QEII Foundation, Halifax

Ronald McDonald House Charities Atlantic, Halfax

Saint-Boniface Hospital Foundation, Manitoba

St. Lawrence College, Brockville

Trent University, Peterborough

University of Regina 

University of Toronto

Wellspring Calgary

Western University 

“The incident emerged as NGOs face a funding crunch due to COVID-19 and need to “pump” private donors who can still afford to help more than ever,” according to The New Humanitarian, which details the number of international NGOs affected by the Blackbaud data breach globally.

Technology specialists have criticized Blackbaud’s response. Troy Hunt, creator of @haveibeenpwned, a platform where you can check to see if you have an email address or password that has been compromised in a data breach, mocked Blackbaud’s trust in their cyberattacker.

Good that @blackbaud can trust the party that installed sophisticated ransomware on their environment and successfully shook them down for money to then delete the data they took! https://t.co/V9hrjjIsgf pic.twitter.com/RDACqHOf2q

— Troy Hunt (@troyhunt) July 28, 2020

Cath Goulding, chief information security officer at cyber-security firm Nominet told the BBC that, “it is worrying that the supplier paid the ransom as, arguably, this encourages future attacks and doesn’t overcome the fact that data has been compromised. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise.” 

Bank Info Security (Euro Security Watch’s) Matthew J. Schwartz referred to Blackbaud’s response to the data breach “bizarre” saying “the entire first paragraph [of their statement] is dedicated to normalizing hacking,”

“The cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time – a threat to all companies around the world,” it begins. “Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert cybersecurity team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry.”

Schwartz’s article asks several other questions to which we currently don’t have answers, such as why Blackbaud customers weren’t notified about the breach until July 16, how many organizations were impacted, why Blackbaud would trust the cyber attackers, is its cyber security good enough and has it painted a target on its back by paying the ransom?

Senior staff at Blackbaud spoke with The NonProfit Times  “with the agreement they would only be identified as spokespeople and that only comments from Todd Lant, chief information officer [for Blackbaud], be directly attributable.”

In article published on August 6, 2020, the unnamed officials said the first time anyone at Blackbaud knew there was a problem was May 14 when there was a suspicious log-in on an internal server.   

Apparently, the attackers “continued to contact Blackbaud with the Bitcoin ransom demand and provided on June 18 what was purported to be a statement of involved files … [and] it took until July 9 to develop enough certainty on information exposed and customers involved that it could work toward notifications by July 9. Customer notifications were made on July 16. 

“Between July 9 and July 16, our teams were working around the clock to prepare contact data, author customized, scenario specific communications for each customer that was part of the incident.” 

“We value every social good organization that is part of the Blackbaud family, and we sincerely apologize to our customers for the disruption this caused,” Todd Lant was quoted as saying. “Our cybersecurity team stopped this sophisticated ransomware attack before the criminal could lock down our network…”

“What I believe is happening is that Blackbaud is trying to classify the event as not being a data breach – based on the premise that they paid the ransom and got a pinky swear that the cybercriminal got rid of the data and did not share it,” according to Phil Hill, co-founder of MindWire. “Instead, Blackbaud is trying to present this as a successful prevention of a ransomware attack, noting that they “successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.” 

The timing of the breach was bad for charities affected because it had the potential to erode donor trust just as charities needed donor support amid the coronavirus pandemic. But it was also inopportune because of an upcoming call to report second quarter earnings to Blackbaud shareholders. 

“In the company’s Q2 earnings call with investors, Blackbaud did not even mention the security incident in the prepared remarks,” Hill says, and only when pressed by analysts did CEO Michael Gianoni speak and he did so “in terms of ransomware not in terms of data loss.”

“I’d like to just apologize on behalf of Blackbaud for the incident,” a recording of the call indicates. “Over the last five years, we’ve made significant investments to build a modern cyber security practice significant. And we follow industry best practices, we conduct ongoing risk assessments and simulations, we aggressively test security of our solutions and our infrastructure, including with several third-party experts that come in, which is the best practice.”

The Blackbaud data breach didn’t appear to create a drop in its share price. 

“Three hours after the start of trading [on July 30] … Blackbaud stock was up more than 15%,” wrote Hill.

Lawyers at the Canadian law firm Miller Thompson law firm, which has a speciality in charity law, posted a July 17, 2020 blog advising charities in the wake of the Blackbaud data breach,

“If your organization was affected, you should take the following steps,” wrote lawyers Nicole K. D’Aoust and David Krebs. “1) understand the contents of the notification and obtain clarification from Blackbaud if you do not; 2) understand the nature of the information at issue, whether any personal information was at risk, and assess your organization’s legal requirements as an entity “in control” of the information that was breached; and 3) assess whether your organization has a legal or other obligation to notify any individuals, including donors, or other affected individuals of the breach.

“Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.”

The full extent of the Blackbaud data breach is still unknown.

Filed Under: News Tagged With: Blackbaud data breach, data breach, Phil Hill, The Charity Report

Primary Sidebar

Literary Circle Reviews

Heroin: What came first—the suffering or the criminalization?

June 20, 2022 By Literary Circle

The Smart NonProfit : Staying Human-Centred in an Automated World 

June 20, 2022 By Literary Circle

Is America’s next civil war already in progress?

March 14, 2022 By Literary Circle

Nora Loreto and her book Spin Doctors are here to tell us how we got here

January 24, 2022 By Literary Circle

Cid Brunet, A Stripper’s Memoir: One woman’s tour through humankind

December 20, 2021 By Literary Circle

Wayne Simpson: Photos of the human soul

December 16, 2021 By Literary Circle

  • Instagram
  • LinkedIn
  • Twitter

Footer

About

Our beat is justice and equity in the charity sector. We follow news of the day, highlight people doing amazing work and conduct new research that sheds light on the forces driving the sector. The Charity Report TalkingUP podcast, hosted by editor in chief Gail Picco, interviews authors and journalists wbo have lots to say about the issues facing our time.  This is a place where independent thinking is valued, questions about the charity sector are asked and our independence is fiercely guarded. The guardians of that space are our Subscribers and Patrons who provide the financial support to pay writers, editors, researchers, producers, and content providers. We adore them.

Learn more.

Recent

  • The Charity Report Ceases Publication 
  • The Cost of Conflict: How we measure the global failure in Syria
  • Where Wealth Resides: The funding of philanthropy in Canada
  • Who Give and Who Gets: The Beneficiaries of Private Foundation Philanthropy
  • Community Giving: The Growth and Giving Priorities of Community Foundations

Search

Copyright © 2023 The Charity Report · Log in