Clients’ Bank Data Exposed in Blackbaud Ransomware Attack
Table of Contents
- By Dawna M. Roberts
- Oct 05, 2020
Blackbaud software was victim to a ransomware attack last May, and new information suggests that clients may have lost more than just basic information.
The Ransomware Attack in May
Initially, the cloud-based software company reported in its breach notification that they paid the ransom in exchange for the copies of the stolen information to be destroyed. However, now in an SEC report, they have acknowledged that much more personally identifiable information (PII) was exposed, including bank details, social security numbers, and usernames with or without passwords.
Blackbaud operating out of South Carolina provides software for marketing, fundraising, and customer relations. The recent reveal affects hundreds of healthcare organizations, education, and non-profits. All told, the ransomware attack perpetrated back in May exposed data for about 10 million users of the software.
New Details Revealed
On September 30, 2020, Blackbaud filed an 8-K report with the U.S. Securities and Exchange Commission (SEC) that included a lot more detail revealing a more accurate picture of the damage. In it, Blackbaud noted that “Further forensic investigation found that for some of the notified customers, the cybercriminals may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords,” according to the SEC filing. “In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted … and are being provided with additional support.”
Blackbaud is continuing their investigation and working with security professionals and law enforcement to determine the culprits responsible.
The company has been criticized for not reporting the data breach until July 16th and is facing at least ten lawsuits in the wake of this catastrophic exposure. With new information coming to light about the specific data that may have been exposed, including PII, identity theft and fraud are a real concern for the victims.
A Sketchy Deal
Although Blackbaud has admitted that they paid an undisclosed ransom to the attackers to get their data back and did so under the agreement that all copies would be destroyed, there is no assurances that the cybercriminals will keep their end of the bargain. The stolen data may still end up on the dark web for sale.
According to Brett Callow, a security firm researcher with Emsisoft said, “A breach is a breach, and Blackbaud experienced a breach,” Callow says. “That the company chose to pay the ransom in no way altered the fact that the criminals had accessed and possibly exfiltrated the data. Companies that choose to pay in this scenario are not in any way undoing the breach; they’re simply paying a bad-faith actor for a pinkie promise that the stolen data will be destroyed. Whether threat actors do ever actually destroy data is something only they know, but I’d be very surprised if they did.”
Cybercriminals’ goals are typically financially motivated, so it would be highly unlikely that they would comply with any deals or terms when they could collect the ransom and benefit a second time by selling the stolen information on the dark web. It’s all about profit.
What is Blackbaud Doing About It
Blackbaud assures their customer base that they have hired a team of experts to monitor the dark web and keep an eye out for any exposed data. Their own security firm and law enforcement agree that they can find no evidence that client data was leaked or has shown up anywhere on the internet.
Their opinion is that the attackers simply wanted to “disrupt” their business operations by encrypting and locking data centers to prevent access.
The Attack on Healthcare Continues
Blackbaud’s ransomware issue is another in a long line of attacks on healthcare. Many of the clients who use Blackbaud software for fundraising are non-profits or health providers. On Thursday, the U.S. Department of Health and Human Services added more names from the Blackbaud incident to the growing list of healthcare organizations affected by data breaches. Currently, that list includes more than three dozen healthcare organizations. Some of the heavy-hitting data breaches in healthcare this year are:
- Trinity Health - affected 3.3 million individuals.
- Nuvance Health (NY) - 315,000 people affected.
- University of Missouri Health Care - close to 190,000 affected.
Were You Affected?
If you or an affiliate uses Blackbaud software, you may have already received notification about the data breach. However, due to this new information surfacing, you may get a follow-up if your banking details, social security numbers, or other personally identifiable information was exposed. It is always best to assume the worst in any data breach and take quick action to protect those assets. Change your passwords and contact your bank to have them put a freeze on your accounts or restrict access. Any proactive measures you can take now may prevent you from being an additional victim of fraud or identity theft.