Personal data of some donors to charities that use the Blackbaud fundraising and donor management system — information including Social Security numbers and banking information — was accessed by cybercriminals during the hack of the firm earlier this year. And, information of donors at organizations that are no longer users of the Blackbaud system was also accessed because their backups had not been deleted from Blackbaud’s servers.
Blackbaud paid an undisclosed ransom to cybercriminals after discovering the hack, which had gone on for three months before it was detected in May. The Charleston, S.C.-based company notified clients of the hack on July 16 and has been widely criticized for the time between discovery and notification of the charities. Officials said it was a sophisticated hack and they needed to time to assess what actually happened.
The NonProfit Times first reported the hack on July 16 and posted follow-up reporting online in August and a cover story in the September 1 issue.
The firm also faces investigation in the United Kingdom for possible violation of regulations regarding handling of data. At least five class action lawsuits have been filed in the United States against Blackbaud by both individual donors and by nonprofits. Officials at Blackbaud have declined to discuss the potential legal issues other than to say the firm has cybersecurity insurance. Among the demands in the legal actions is personal data monitoring services. A Blackbaud official said the firm will provide “services and support, including Identity Theft Protection Services for constituents where applicable.”
Blackbaud officials have consistently declined to be specific regarding how many of its self-reported 45,000 nonprofit and government customers in 100 countries were impacted. A Blackbaud official described those impacted as “a small percentage of our total customers” and “this new information only applies to a subset of those.”
The cybercriminals accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. The deeper hack did not involve all of the customers impacted in the cyberattack.
Blackbaud staff started calling and emailing users today to alert them to the additional information.
Hackers accessed the Blackbaud system through a customer’s system, Blackbaud officials told The NonProfit Times earlier this year. The hack did not access Blackbaud’s public cloud environment of Microsoft Azure and Amazon Web Services, nor a majority of the firm’s self-hosted environment, officials said. The latest information involved the same data set, no additional organizations were accessed, Blackbaud officials said.
Blackbaud remained operational during the incident and most customers who were part of the incident experienced no outages. A small number had intermittent availability or a disruption in service while the incident was remediated, according to a company official.
Senior officials at the tech firm spoke with The NonProfit Times on the record with the agreement they would only be identified as spokespeople and that only comments from Todd Lant, chief information officer, be directly attributable.
“As we continued our investigation, we found that customers used their systems in ways we didn’t expect, and we’ve also unfortunately discovered that a handful of fields intended for sensitive information were unencrypted,” said Lant. “And we want to assure the social good community that we are reflecting on this entire situation with a learning mindset and intend to communicate more soon.”
Blackbaud officials told The NonProfit Times that there had been what they described as “confusion” in the sector as to whether the cybercriminals accessed sensitive data. “In most cases, the answer is no. But it depends on how our customers store data,” Blackbaud officials said in a statement to The NonProfit Times. It was potentially accessible “if they don’t store it in an encrypted field designated for sensitive information and also, based on our recent findings, if it was one of the edge cases we recently found where we labeled a field for sensitive information that was not encrypted.”
Lant said that the additional exposure was on the same data sets as previously discovered. “The backups in question that were removed are the same, so the scope of the data involved has not changed for any customer. What changed for some involved organizations is that some fields we originally thought were encrypted were not,” he said. The firm is continuing internal and third-party review of the incident, he said. “We do not expect any additional notifications to be necessary. Again, the scope of data involved has not changed for any customer,” he said.
The description of the access to sensitive donor data by officials, pointing to inappropriate data input on the client side, could be construed as blaming a client for the incursion. Blackbaud officials said that was not the case.
“We are definitely not blaming our customers. Our company’s reason for existence is to ‘help good take over’ and most who work at Blackbaud have either worked for, served on boards for, or volunteered with, social good organizations. We’re taking this very seriously and regret that this happened,” the official said.
“Customers absolutely should expect their solution provider to protect their data. We are merely attempting to explain why we previously told customers that certain sensitive data was not involved and now we are saying it is for some customers,” the official said.
Blackbaud staff previously believed all fields for Social Security numbers, bank account information, usernames and passwords were encrypted in the solutions. But, that was not always the case. “We have been made aware of customers who are storing sensitive information in unencrypted fields that are not intended for such uses. This has taught us that we need to significantly broaden our work to encrypt data at ‘REST’ on behalf of our customers, which we have already begun,” the official said. “It has also taught us that publishing encrypted field lists is not enough — we need to provide more proactive education for our customers on best practices for database administration and provide greater support.”
“REST” refers to where data is stored, versus “in transit” as it moves around a network for use. Officials said the plan is to encrypt more data while in REST.
The fields Blackbaud encrypted originally were determined based on research and development for those solutions, which includes customer and market input on what fields would require greater protection. “Admittedly some of our solutions have been around for a while and it is appropriate for us to explore opportunities to modernize, especially given today’s security landscape,” an official said.
An additional issue is that donor data from firms no longer Blackbaud customers was still on the system. The firm has a data decommissioning and deprovisioning protocol and backups and are stored for six months. “For some products our decommissioning practice has been reliant on manual processes and we were in the process of automating them prior to the security incident. There were clearly breakdowns in that process in the instance of decommissioning some customers’ solutions and deleting of their backups,” the official said. An internal audit is being conducted and is being handled by an “accredited third party.” The official said the data was not being used for research or information on donor behavior.
Calls by The NonProfit Times to other technology vendors in the space showed six months to be routine for storage and then disposal of backups.
Blackbaud’s stock, which is listed on the NASDAQ exchange, closed yesterday at $57.89 per share, $37.04 off its 52-week high. Its year-to-date change is roughly 27 percent. Blackbaud’s market capitalization is $2.9 billion on reported revenue of $914 million.