Blackbaud Hack – One More Ransomware Attack

Hackers are getting smarter day by day. Every day we are hearing the news on breaches or cyberattacks on a small scale or a mass scale. Last month we have heard of the Twitter attack and this time it’s a ransomware attack on Blackbaud, a US-based company – the largest provider of CRM.

Blackbaud is the largest provider of education, administration, fundraising, and financial management software platform.

Blackbaud was hacked in May 2020. Blackbaud released a statement that before locking cybercriminals out, the cybercriminals copied some of the data from their self-hosted environment.

As per the reports published by BBC, stolen data included phone numbers, donation history, and events attended. Payment details like credit cards do not appear to have been exposed. And also the data is not limited to former students who were financially supporting the institution but also to its staff, existing students, and other supporters.

Which organizations are affected by the Blackbaud hack?

As per BBC reports educational institutions which are affected are:

1. University of Birmingham, De Montfort University
2. University of Strathclyde
3. University of Exeter
4. University of York
5. Oxford Brookes University
6. Loughborough University
7. University of Leeds
8. University of London
9. University of Reading
10. University College, Oxford
11. Middlebury College, Vermont
12. West Virginia University
13. New College of Florida
14. Cheverus High School: Catholic High School Portland
15. The Bishop Strachan School, Canada
16. University of North Florida
17. Ambrose University, Alberta, Canada
18. Rhode Island School of Design, US

Non-Profit organizations such as charities are affected:

1. Choir with No Name
2. Vermont Foodbank
3. Vermont Public Radio
4. Northwest Immigrant Rights Project
5. Human Rights Watch
6. Young Minds
7. National Trust
8. Wallich and Crisis
9. Sue Ryder

As per the BBC, UK’s ICO has informed that 125 organizations had reported to it for the Blackbaud attack. Maybe many more charities or educational organizations may have been affected.

How Privacy Law is affected and its impact?

Under General Data Protection Regulation (GDPR), organizations must report a significant breach to a relevant supervisory authority within 72 hours of becoming aware of the breach or face potential fines. There will be 2 levels of fines based on the breach. The minimum fine is up to €10 million or 2% of the company’s company’s global turnover and the maximum fine is up to €20 million or 4% of the global turnover

If a breach has a significant impact then the organization must notify the Information Commission Officer (ICO) within 24 hours. And also notify the users if they are likely to be affected.

Blackbaud informed The UK’s ICO and Canadian data authorities about the data breach at least 8 weeks after discovering the cyber-attack. This means a clear violation of the GDPR.

The GDPR applies in this case because UK students are among those affected, and they are still covered by all the regulations until the Brexit transition ends on 31st Dec 2020.

All the institutions are sending emails & letters apologizing to those on the compromised breaches.

Actions taken by Blackbaud:

As per the reports Blackbaud has paid undisclosed ransom demand to save the customer’s data. After this, they released a statement that they have paid the hackers, and hackers confirmed that the data they had has been destroyed.

Paying the ransomware money is not illegal in the US & UK but it is against the advice of numerous law enforcement agencies such as the FBI, NCA, and Europol.

Blackbaud also said that it is working with law enforcement agencies and 3rd party investigators to check whether the data is on the dark web.

But questions persist about ransomware attacks and whether can you trust a cybercriminal.

Conclusion

Ransomware gangs are now focussing on corporate networks, where they get an initial foothold and steal the victim’s data before encrypting the local files. Victims are then forced to pay a ransom demand- either for unlocking or decrypting the files or for preventing their stolen data from being published on the internet.

Ransomware attacks are on the rise, especially as the Covid-19 pandemic continues. As part of due diligence before working with any provider, you should check that the provider must have adequate technical and organizational measures in place to defend against a ransomware attack.