What Happened With the Blackbaud Breach?
On July 16th, 2020 Blackbaud began to notify their customers of a data breach, which they had become aware of in May of 2020. Simply put this was a ransomware attack, whereby a cybercriminal attempted to lock Blackbaud out of some of their systems until such a time as a ransom was paid, and in this case removed a subset of data from a private cloud, but was not able to access their public cloud. In their own words:
“[W]e paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Now that the ransom has been paid the cybercriminals claim to have deleted the information they pilfered from Blackbaud, but it may take a while to fully determine if that is true, and it certainly affected some of Blackbaud’s clients. That said Blackbaud has firm security measures in place and regularly stops attempts to breach their network, but even the best can be attacked.
In this blog we will run through who Blackbaud is (although most of you in Higher Education and the non-profit space likely know them well), what data was taken and affected, a short list of the institutions affected, and a look at similar breaches that have happened recently, as well as some basic conclusions. This did highlight the fact that many organizations do a decent job of screening vendors in a lot of ways, but it is essential that third parties also be assessed for cybersecurity. Blackbaud is a large company that works hard at security, but there are no guarantees when it comes to cybersecurity.
Who Is Blackbaud?
For those in the Higher Education field Blackbaud is well known. Blackbaud is a publicly-traded company that provides fundraising, relationship, financial, and education management to academic institutions as well as other “social good organizations”. They are a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software. Mostly they are known for products like Raiser’s Edge and NetCommunity products that help organizations manage their fund-raising, keeping track of donors and amounts they have contributed over time. This data is obviously of high value to institutions they work with, including universities and non-profits, but more importantly can contain vast amounts of personal identification information, not limited to things like where a person donates, how much, their net worth and so forth.
Blackbaud is, quite frankly, a huge part of many institutions, and is big enough that they’ll recover. That said this affects a lot of institutions (more on that below) and may shine a light on how securely they treat their data in the future. Fundraising data is liquid gold, especially in a time like the current where budgets are being examined and scholarships and programs may be at risk. Blackbaud has, for a long time, been a huge asset to their clients, and that will not change, but this is the exact type of attack that keeps those clients up at night.
What Data Was Affected?
Okay, now that we know what happened and who Blackbaud is, it is important to delve into what data was actually removed. The data involved in fund-raising, as mentioned, is the kind of PII that is very valuable to those using it for the right reasons, but also those who have nefarious intent in mind. Thankfully the public cloud of Blackbaud was not breached, but still a wide variety of data did get out.
Blackbaud has said the data did not include bank account or payment card details. But a source has told the BBC that in some cases it involved donors details including:
- Names, ages and addresses
- Car licence details
- Estimated wealth and identified assets
- Total number and value of past donations to the organisation in question
- Wider history of philanthropic and political gifts
- Spouses’ identity and past gift-giving
- Likelihood to make a bequest triggered by their death
Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert, Pat Walshe from the consultancy Privacy Matters, questioned whether such an assurance could be trusted. This would be valuable information to fraudsters, according to Walshe, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.
Now, to repeat Blackbaud has stressed that having paid off its attackers, who compromised its systems with an as-yet unknown ransomware, it has received assurances from the cyber criminals that all the data compromised has been destroyed. However, cyber security experts agree that such an assurance is worth very little.
Blackbaud has “no reason” to believe that any data went beyond the cyber criminal organisation responsible, was or will be misused, or disseminated. The firm’s spokesperson said they believed the motivation behind the attack was business disruption rather than data theft, although it has hired a third-party team of experts to monitor the dark web as a precaution.
And Blackbaud, in several places, documented the sophisticated and complex cybersecurity measures they have in place. They also highlight that, due to the scope of the attack, they are working with law enforcement across the globe to make sure every possible angle is taken care of and to attempt to flesh out who the cybercriminals were.
Who Is Affected and What Do They Have To Do?
As of July 30th, 2020, there were over one hundred and twenty known victims:
UK educational institutions:
- Aberystwyth University
- ACS International Schools
- Brasenose College, University of Oxford
- Brunel University, London
- De Montfort University
- Heriot-Watt University, Edinburgh
- Hughes Hall College, University of Cambridge
- King’s College, London
- Loughborough University
- Oxford Brookes University
- Radley College, Abingdon
- Robert Gordon University
- Selwyn College, University of Cambridge
- St Albans School, Hertfordshire
- St Aloysius School, Glasgow
- Sheffield Hallam University
- Staffordshire University
- University College, Oxford
- University of Aberdeen
- University of Birmingham
- University of Bristol
- University of Durham
- University of East Anglia
- University of Exeter
- University of Glasgow
- University of Hull
- University of Kent
- University of Leeds
- University of Liverpool
- University of London
- University of Manchester
- University of Newcastle
- University of Northampton
- University of Reading incl Henley Business School
- University of Strathclyde
- University of South Wales
- University of Sunderland
- University of Sussex
- University of West London
- University of York
Other UK non-profits:
- Action on Addiction
- Breast Cancer Now
- Choir with No Name
- Maccabi GB
- Myeloma UK
- Sue Ryder
- The National Trust
- The Urology Foundation
- The Wallich
- Young Minds
- Alpha USA charity
- Ambrose University, Alberta
- American Civil Liberties Union (ACLU), New York
- Bentley University, Massachusetts
- Boy Scouts of America
- Boys & Girls Clubs of Delaware
- Cancer Research Institute, New York
- Catholic Charities of St Paul’s and Minneapolis
- Central European University, Budapest
- Cheverus High School, Portland
- Coastal Maine Botanical Gardens
- Darlington School, Georgia
- Des Moines University
- Diocese of Gaylord, Michigan
- Emerson College, Boston
- FareStart, Seattle
- First Place For Youth, California
- Foodbank of Central and Eastern North Carolina
- Hennepin Healthcare Foundation, Minnesota
- Human Rights First, New York
- Human Rights Watch, New York
- Institute for Human Services, Charleston
- Kent Denver School, Colorado
- Kids Quest Children’s Museum, Bellevue
- Louisiana Tech University Foundation
- Mennonite Economic Development Associates (Mena), Waterloo
- Middlebury College, Vermont
- New College of Florida
- New Hampshire Public Radio
- National University of Ireland, Galway
- Northwest Immigrant Rights Project
- Open Space Institute, New York
- Rhode Island School of Design
- St Ignatius Loyola Parish, New York
- St Mary’s College of Maryland Foundation
- San Diego Public Library Foundation
- Save the Children, Connecticut
- Solid Ground, Seattle
- Springfield Museums, Massachusetts
- Texas Tech Foundation
- The Bishop Strachan School, Toronto
- University of Auckland, New Zealand
- University of Dayton
- University of North Florida
- University of Western Ontario
- Urban School, San Francisco
- Ventura College Foundation, California
- Vermont Foodbank
- Vermont Public Radio
- West Virginia University
As you can see this was a wide ranging breach that hit universities, non-profit’s, even a diocese here in Michigan. And more names will be added to this list, for sure. I’ve seen a few other lists that are already being updated. Now, what about the duties of those institutions, especially here in the United States?
Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute “sensitive” data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbaud’s customers.
The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EU’s General Data Protection Regulation (GDPR).
Other Similar Breaches This Year, like Chegg
This event has several similarities to Chegg’s data loss two years ago and in the last year, including late notification, downplaying the event, focusing more on investor concerns than customer concerns, and the lack of EdTech coverage. There are also several differences worth noting between the Blackbaud and Chegg events. Chegg did not learn of its data breach for several months and went public within a week of discovery whereas Blackbaud took two months, Chegg notified the SEC officially about the breach while Blackbaud did not, and Chegg’s customers are students whereas Blackbaud’s customers include schools (and indirectly donors). It is this last point that might lead to a different resolution over time.
There, of course, have been other breaches, but few are as far reaching as this breach. And the key here is that schools will react differently than students, who are not as aware of security issues. More importantly schools are very sensitive to issues of data protection around their alumni and donors, not just for the legal reasons discussed but because they want to protect their golden goose, understandably so.
At the end of the day the key takeaways are to always make sure you are secure, so that in the case of a third-party vendor breach you can be adequately protected. Secondly a strong vendor assessment and then regular re-assessment is important, as well as communicating with that vendor to ensure you’re on the same page. This breach was wide-ranging and hit a lot of institutions, but if everything Blackbaud is saying is true than it is a close call that avoided major damage.