Blackbaud ransomware attack may have impacted millions of Individuals
Nonprofits, hospitals and universities are among those whose data was breached earlier this year.
Nearly 200 organizations and millions of individuals may have been impacted by a security breach earlier this year that targeted Blackbaud Inc., a cloud computing company whose clients include nonprofits, healthcare companies and universities.
In a statement posted on its website in July and updated September 29, Blackbaud said it was the target of a ransomware attack that it discovered in early May. The company said its cybersecurity team and independent forensics experts were able to combat the attack and eventually expel the hacker from its system, but not before the hacker was able to remove a copy of a subset of data from Blackbaud’s private cloud environment.
Blackbaud said it paid the hacker’s ransom demand in return for destruction of the stolen data, a decision some security experts speculate may encourage more ransomware attacks in the future.
“The payment of ransom requests causes more hacking attempts and weakens the industry as a whole,” said Paul Katzoff, CEO of WhiteCanyon Software, a cybersecurity software firm based in Salt Lake City. “It sets and reinforces a bad precedent.”
Blackbaud said it obtained confirmation that the stolen data had been destroyed and that it does not believe the data has been or will be misused, disseminated or made publicly available. It began notifying clients whose data may have been breached in July.
The company initially believed the cybercriminal gained access only to non-sensitive fields including names, ages, genders and dates of birth.
However, in its updated statement and in a disclosure to the Securities and Exchange Commission, Blackbaud said further forensic investigation found that unencrypted fields intended for bank account information, Social Security numbers, usernames and passwords may also have been compromised.
“In most cases, fields intended for sensitive information were encrypted and not accessible,” the company said in the SEC disclosure. “These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.”
Recent reports pin the number of affected clients at about 170 in the United States, Canada and the U.K. Numerous Blackbaud clients have posted statements acknowledging the breach and the potential impact on their patients, students and donors. Among them are Boston University, Santa Clara University, the University of Illinois Foundation, University of Dallas, King’s College London, George Washington University, Cancer Research Institute (CRI), Hopelink, Planned Parenthood Great Plains and National Public Radio stations.
Notably, Northwestern Memorial Healthcare reported a breach impacting 55,983 individuals to the U.S. Department of Health and Human Services Breach Portal related to the Blackbaud incident and said five individuals may have had sensitive financial information compromised.
Inova Health System reported a breach impacting more than 1 million individuals to the portal related to the breach. Inova apologized to patients and donors for the incident and provided them with guidance on how to protect their personal information.
“These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report,” Inova said in a statement. “Additionally, individuals should always remain vigilant in reviewing their financial account statements, explanation of benefits statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.”
Blackbaud is now the subject of several lawsuits stemming from the incident, including a complaint seeking class-action status and asserting claims for negligence, intrusion upon seclusion, breach of contract, and violations of data breach statutes.
Kristen Beckman is a freelance writer based in Colorado. She previously was a writer and editor for ALM’s Retirement Advisor magazine and LifeHealthPro online channel. She also was a reporter for Business Insurance magazine covering workers compensation topics. Kristen graduated from the University of Missouri with a degree in journalism.
READ MORE: