Blackbaud on Data Breach: Nothing to see here, move along

Blackbaud – a publicly-traded software company providing fundraising, relationship, financial, and education management to academic institutions as well as other “social good organizations” – detected a data breach in May of this year. The incident originated at a managed hosting (company-run data center) environment for the Raiser’s Edge and NetCommunity products that help organizations manage their fund-raising, keeping track of donors and amounts they have contributed over time. Two months later, on July 16th Blackbaud finally notified customers of the breach [emphasis added].

In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment. The subset of customers who were part of this incident have been notified and supplied with additional information and resources. We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.

It is not clear how many higher education institutions were impacted, since Blackbaud has not provided any further information.

Slide from Blackbaud investor presentation describing the scope of their business

Source: https://investor.blackbaud.com/events/event-details/q2-2020-blackbaud-earnings-conference-call

But based on what little coverage the data breach has received, and based on Educause listservs and private communications with CIOs, it appears that the number affected are in the hundreds, mostly in the US and the UK. Our friends at LISTedTECH, who track a number of EdTech systems across higher education and K-12 markets, have mapped the locations of colleges and universities that have publicly acknowledged they were impacted.

LISTedTECH graphic showing Blackboard clients, highlighting those in the UK and the US and Canada that have publicly stated they were impacted by the data breach

Data Hack

The primary media coverage this incident and Blackbaud’s response has been from the BBC. In their most recent article, the BBC described the data obtained by cybercriminals.

But a source has told the BBC that in some cases it involved donors details including:

– names, ages and addresses

– car licence details

– employers

– estimated wealth and identified assets

– total number and value of past donations to the organisation in question

– wider history of philanthropic and political gifts

– spouses’ identity and past gift-giving

– likelihood to make a bequest triggered by their death

Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted.

“The hackers would know these people have a propensity to support good causes,” commented Pat Walshe from the consultancy Privacy Matters.

This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.

It is difficult to get a full picture of the scope of the breach not just due to Blackbaud’s attempts to downplay the incident, but also as schools are likely embarrassed by having to notify current and potential donors that their information was lost.

Ransom Payment

In a previous BBC article, they noted that the response of paying the ransom could have been a mistake in the first place.

The statement goes on to say Blackbaud paid the ransom demand. Doing so is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.

Blackbaud said once the hackers had been paid, they had given “confirmation that the copy [of data] they removed had been destroyed”.

“It is worrying that the supplier paid the ransom as, arguably, this encourages future attacks and doesn’t overcome the fact that data has been compromised. This demonstrates the multiplier effect of supply chain hacks and reinforces the advice that security needs to be a collaborative exercise,” Cath Goulding, chief information security officer at cyber-security firm Nominet said.

As the BBC has described, Blackbaud did not follow this guidance, instead notifying customers two months after the event.

GDPR and California: Data Privacy

While the UK is in a transition of leaving the European Union, that country is still bound by EU laws such as General Data Privacy Regulations (GDPR) through the end of this year. Section is Article 33 of GDPR describes the notification requirements, where Blackbaud would be a “controller” [emphasis added].

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

The notification referred to in paragraph 1 shall at least:

1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

3. describe the likely consequences of the personal data breach;

4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

California, through SB24, requires notification to California residents for any data breach.

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)

Given the focus on donors, I’d bet that quite a few impacted individuals are California residents. Did Blackbaud do this notification, or are they relying on their customers to do so?

EdTech Accountability

What I believe is happening is that Blackbaud is trying to classify the event as not being a data breach – based on the premise that they paid the ransom and got a pinky swear that the cybercriminal got rid of the data and did not share it. Instead, Blackbaud is trying to present this as a successful prevention of a ransomware attack, noting that they “successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.”

Beyond GDPR regulations, this positioning could impact contract requirements with schools, as well as insurance coverage.

Slide from Blackbaud investor presentation describing "We make it simple with one accountable partner"

Source: https://investor.blackbaud.com/events/event-details/q2-2020-blackbaud-earnings-conference-call

This event has several similarities to Chegg’s data loss two years ago, which I covered at e-Literate – see my first Chegg breach post and my follow-up Chegg breach post four weeks later. Late notification, downplaying the event, focusing more on investor concerns than customer concerns, and the lack of EdTech coverage. Given the statements about Blackbaud having “no reason to believe that any data went beyond the cybercriminal, was or will be misused”, it is worth noting that last year decrypted credentials from the Chegg breach were showing up on the dark web and appeared to be leading to multiple campus security attacks.

There are also several differences worth noting between the Blackbaud and Chegg events. Chegg did not learn of its data breach for several months and went public within a week of discovery whereas Blackbaud took two months, Chegg notified the SEC officially about the breach while Blackbaud did not, and Chegg’s customers are students whereas Blackbaud’s customers include schools (and indirectly donors). It this last point that might lead to a different resolution over time.

I don’t know if the behind-the-scenes customer anger at Blackbaud will lead to any real action, but it is clear that the company is taking a ‘nothing to see here, move along’ approach. In this morning’s Q2 earnings call with investors, Blackbaud did not even mention the security incident in the prepared remarks. Luckily two analysts asked some good questions – whether the incident “was in the rear-view mirror”, how customers were reacting to the news, and whether this incident would accelerate the move to the public cloud. Blackbaud’s CEO Michael Gianoni gave non-answers to the first two, based on the earnings call transcript, and note that he only answered in terms of ransomware and not in terms of data loss.

Yeah. Sure. Happy to do that. I just — related to that, I just wanted to start off for any customers that might be listening on the call, because I know they do and they also listen to the ones recorded. And I’ve been talking to a lot of customers, I’d like to just apologize on behalf of Blackbaud for the incident. Over the last five years, we’ve made significant investments to build a modern cyber security practice significant. And we follow industry best practices, we conduct ongoing risk assessments and simulations, we aggressively test security of our solutions and our infrastructure, including with several third-party experts that come in, which is the best practice.

And during the quarter, we discovered and stopped sophisticated attempted ransomware attack. Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got in to a subset of our customers and a subset of our backup environment. And based on the nature of the incident in our research including with several third-party experts in investigation folks including law enforcement that we work with, we have no reason to believe that any data went beyond the cyber criminal or will be disseminated or made available publicly.

So the incident did not reach a majority of our hosted environments and it did impact a subset of our customers who were quickly notified a couple of weeks ago. The goal of the, of any cyber criminal is to get control of a company’s production environment, and we were able to detect and eradicate and stop that, so that never happens. So, it’s unfortunate, but we did not have a service disruption because of this, and we’re working with all of our customers that were involved here to help them through this. So my level of confidence here related to this one particular area is, we did remediate this area, we tested it, we had outside firms test it, and we’re pretty confident that this one area has been shored up if you will.

It’s unfortunate that this happened, because this obviously wasn’t discovered by us or the outside firms we work with over the last several years. And I think we’re in a good spot related to the amount of investment, the expertise we have, the folks we’ve hired from outside of the company that have significant backgrounds in the space, and the outside companies that we work with are tops in their fields. So it’s a big focus of ours and it’s unfortunate to happen, but we remain quite diligent in driving this part of the business forward.

On the third question, Blackbaud implied that they are accelerating their move to the public cloud (to AWS, where most EdTech lives), away from Colocation (or managed-hosting) data centers.

Three hours after the start of trading today, for what it’s worth, Blackbaud stock was up more than 15%.

If there’s any more to report on this data breach, it will be due to the BBC’s reporting or to Blackbaud customers taking real action. The investment community applied some pressure, but Blackbaud is moving on.

Update 8/3: Added transcript of earnings call answer to replace paraphrased summary.