Blackbaud Ransomware

The Blackbaud Breach – Queen Data’s Revenge

What Happened With the Blackbaud Breach?

On July 16th, 2020 Blackbaud began to notify their customers of a data breach, which they had become aware of in May of 2020.  Simply put this was a ransomware attack, whereby a cybercriminal attempted to lock Blackbaud out of some of their systems until such a time as a ransom was paid, and in this case removed a subset of data from a private cloud, but was not able to access their public cloud.  In their own words: 

“[W]e paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Now that the ransom has been paid the cybercriminals claim to have deleted the information they pilfered from Blackbaud, but it may take a while to fully determine if that is true, and it certainly affected some of Blackbaud’s clients. That said Blackbaud has firm security measures in place and regularly stops attempts to breach their network, but even the best can be attacked.

In this blog we will run through who Blackbaud is (although most of you in Higher Education and the non-profit space likely know them well), what data was taken and affected, a short list of the institutions affected, and a look at similar breaches that have happened recently, as well as some basic conclusions.  This did highlight the fact that many organizations do a decent job of screening vendors in a lot of ways, but it is essential that third parties also be assessed for cybersecurity.  Blackbaud is a large company that works hard at security, but there are no guarantees when it comes to cybersecurity.

Who Is Blackbaud?

For those in the Higher Education field Blackbaud is well known.  Blackbaud is a publicly-traded company that provides fundraising, relationship, financial, and education management to academic institutions as well as other “social good organizations”. They are a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software.  Mostly they are known for products like Raiser’s Edge and NetCommunity products that help organizations manage their fund-raising, keeping track of donors and amounts they have contributed over time. This data is obviously of high value to institutions they work with, including universities and non-profits, but more importantly can contain vast amounts of personal identification information, not limited to things like where a person donates, how much, their net worth and so forth.

Blackbaud is, quite frankly, a huge part of many institutions, and is big enough that they’ll recover.  That said this affects a lot of institutions (more on that below) and may shine a light on how securely they treat their data in the future.  Fundraising data is liquid gold, especially in a time like the current where budgets are being examined and scholarships and programs may be at risk.  Blackbaud has, for a long time, been a huge asset to their clients, and that will not change, but this is the exact type of attack that keeps those clients up at night.

What Data Was Affected?

Okay, now that we know what happened and who Blackbaud is, it is important to delve into what data was actually removed.  The data involved in fund-raising, as mentioned, is the kind of PII that is very valuable to those using it for the right reasons, but also those who have nefarious intent in mind.  Thankfully the public cloud of Blackbaud was not breached, but still a wide variety of data did get out.  

Blackbaud has said the data did not include bank account or payment card details. But a source has told the BBC that in some cases it involved donors details including:

  1. Names, ages and addresses
  2. Car licence details
  3. Employers
  4. Estimated wealth and identified assets
  5. Total number and value of past donations to the organisation in question
  6. Wider history of philanthropic and political gifts
  7. Spouses’ identity and past gift-giving
  8. Likelihood to make a bequest triggered by their death

Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert, Pat Walshe from the consultancy Privacy Matters, questioned whether such an assurance could be trusted. This would be valuable information to fraudsters, according to Walshe, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.

Now, to repeat Blackbaud has stressed that having paid off its attackers, who compromised its systems with an as-yet unknown ransomware, it has received assurances from the cyber criminals that all the data compromised has been destroyed. However, cyber security experts agree that such an assurance is worth very little. 

Blackbaud has “no reason” to believe that any data went beyond the cyber criminal organisation responsible, was or will be misused, or disseminated. The firm’s spokesperson said they believed the motivation behind the attack was business disruption rather than data theft, although it has hired a third-party team of experts to monitor the dark web as a precaution. 

And Blackbaud, in several places, documented the sophisticated and complex cybersecurity measures they have in place.  They also highlight that, due to the scope of the attack, they are working with law enforcement across the globe to make sure every possible angle is taken care of and to attempt to flesh out who the cybercriminals were.

Who Is Affected and What Do They Have To Do?

As of July 30th, 2020, there were over one hundred and twenty known victims:

BBC List

UK educational institutions:

  1. Aberystwyth University
  2. ACS International Schools
  3. Brasenose College, University of Oxford
  4. Brunel University, London
  5. De Montfort University
  6. Heriot-Watt University, Edinburgh
  7. Hughes Hall College, University of Cambridge
  8. King’s College, London
  9. Loughborough University
  10. Oxford Brookes University
  11.  Radley College, Abingdon
  12. Robert Gordon University
  13. Selwyn College, University of Cambridge
  14. St Albans School, Hertfordshire
  15. St Aloysius School, Glasgow
  16. Sheffield Hallam University
  17. Staffordshire University
  18. University College, Oxford
  19. University of Aberdeen
  20. University of Birmingham
  21. University of Bristol
  22. University of Durham
  23. University of East Anglia
  24. University of Exeter
  25. University of Glasgow
  26. University of Hull
  27. University of Kent
  28. University of Leeds
  29. University of Liverpool
  30. University of London
  31. University of Manchester
  32. University of Newcastle
  33. University of Northampton
  34. University of Reading incl Henley Business School
  35. University of Strathclyde
  36. University of South Wales
  37. University of Sunderland
  38. University of Sussex
  39. University of West London
  40. University of York

Other UK non-profits:

  1. Action on Addiction
  2. Breast Cancer Now
  3. Choir with No Name
  4. Crisis
  5. Maccabi GB
  6. Myeloma UK
  7. Sue Ryder
  8. The National Trust
  9. The Urology Foundation
  10. The Wallich
  11. Young Minds

International organisations:

  1. Alpha USA charity
  2. Ambrose University, Alberta
  3. American Civil Liberties Union (ACLU), New York
  4. Bentley University, Massachusetts
  5. Boy Scouts of America
  6. Boys & Girls Clubs of Delaware
  7. Cancer Research Institute, New York
  8. Catholic Charities of St Paul’s and Minneapolis
  9. Central European University, Budapest
  10. Cheverus High School, Portland
  11. Coastal Maine Botanical Gardens
  12. Darlington School, Georgia
  13. Des Moines University
  14. Diocese of Gaylord, Michigan
  15. Emerson College, Boston
  16. FareStart, Seattle
  17. First Place For Youth, California
  18. Foodbank of Central and Eastern North Carolina
  19. Hennepin Healthcare Foundation, Minnesota
  20. Human Rights First, New York
  21. Human Rights Watch, New York
  22. Institute for Human Services, Charleston
  23. Kent Denver School, Colorado
  24. Kids Quest Children’s Museum, Bellevue
  25. Louisiana Tech University Foundation
  26. Mennonite Economic Development Associates (Mena), Waterloo
  27. Middlebury College, Vermont
  28. New College of Florida
  29. New Hampshire Public Radio
  30. National University of Ireland, Galway
  31. Northwest Immigrant Rights Project
  32. Open Space Institute, New York
  33. Rhode Island School of Design
  34. St Ignatius Loyola Parish, New York
  35. St Mary’s College of Maryland Foundation
  36. San Diego Public Library Foundation
  37. Save the Children, Connecticut
  38. Solid Ground, Seattle
  39. Springfield Museums, Massachusetts
  40. Texas Tech Foundation
  41. The Bishop Strachan School, Toronto
  42. University of Auckland, New Zealand
  43. University of Dayton
  44. University of North Florida
  45. University of Western Ontario
  46. Urban School, San Francisco
  47. Ventura College Foundation, California
  48. Vermont Foodbank
  49. Vermont Public Radio
  50. West Virginia University

 

As you can see this was a wide ranging breach that hit universities, non-profit’s, even a diocese here in Michigan.  And more names will be added to this list, for sure.  I’ve seen a few other lists that are already being updated.  Now, what about the duties of those institutions, especially here in the United States?

Much of the affected data was of a nature that would not trigger notice requirements in the United States, because the elements that constitute “sensitive” data in the U.S. (such as usernames, passwords and social security numbers) were encrypted. However, there are a handful of states (notably Washington and North Dakota) that have notification statutes requiring notice to affected individuals if other kinds of information is accessed, such as names together with dates of birth, and was the case for many of Blackbaud’s customers.

The bigger issue, however, is for those U.S.-based entities who actively target individuals in the European Union. For example, many colleges and universities in the United States actively recruit prospective students or donors in the European Union. These types of recruitment activities are likely to bring them in scope of the EU’s General Data Protection Regulation (GDPR).

Other Similar Breaches This Year, like Chegg

This event has several similarities to Chegg’s data loss two years ago and in the last year, including late notification, downplaying the event, focusing more on investor concerns than customer concerns, and the lack of EdTech coverage. There are also several differences worth noting between the Blackbaud and Chegg events. Chegg did not learn of its data breach for several months and went public within a week of discovery whereas Blackbaud took two months, Chegg notified the SEC officially about the breach while Blackbaud did not, and Chegg’s customers are students whereas Blackbaud’s customers include schools (and indirectly donors). It is this last point that might lead to a different resolution over time.

There, of course, have been other breaches, but few are as far reaching as this breach.  And the key here is that schools will react differently than students, who are not as aware of security issues.  More importantly schools are very sensitive to issues of data protection around their alumni and donors, not just for the legal reasons discussed but because they want to protect their golden goose, understandably so.

Conclusion

At the end of the day the key takeaways are to always make sure you are secure, so that in the case of a third-party vendor breach you can be adequately protected.  Secondly a strong vendor assessment and then regular re-assessment is important, as well as communicating with that vendor to ensure you’re on the same page.  This breach was wide-ranging and hit a lot of institutions, but if everything Blackbaud is saying is true than it is a close call that avoided major damage. 

[social_warfare]

About the Author

Thomas Coke

Thomas Coke

Thomas Coke is the Chief Strategy Officer of BitLyft Cybersecurity. He has a JD from Michigan State University College of Law, a BA in Economics from Kalamazoo College and has years of experience in technology startups with a few successful exits. He can be reached at tom.coke@bitlyft.com and on LinkedIn at https://www.linkedin.com/in/thomascoke/
Scroll to Top