Breaking: Blackbaud Hacked, Ransom Paid

Blackbaud, one of the world’s largest providers of financial and fundraising technology to nonprofits, was hacked and paid a ransom to have the hijacked data destroyed by the cybercriminals.

Officials learned of the intrusion in May and called in law enforcement and independent forensics experts to work with Blackbaud’s own security team, a Blackbaud spokesperson said. The teams were able to prevent the blocking of system access for users and the fully encrypting of files.

Blackbaud officials first realized something was wrong when staff detected malicious activity internally. Once the attack was stopped the criminals contacted Blackbaud with the ransom demand. Company officials spoke on the record but not for direct attribution.

Blackbaud declined to disclose how much was paid to the cybercriminals but it was done using Bitcoin. The firm also declined to say which data center was the entry point or how many are used by Blackbaud.

The cybercriminals were able to remove a copy of a subset of data from Blackbaud’s self-hosted environment. Credit card information, bank account information, or Social Security numbers were not stolen, according to the spokesperson.

Officials said they have confirmation that the stolen data was destroyed after the ransom was paid. “We have no reason to believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly,” the spokesperson said.

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed,” the spokesperson said.

“As a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” she said.

The incident did not involve data in Blackbaud’s public cloud environment of Microsoft Azure and Amazon Web Services, nor a majority of the firm’s self-hosted environment. The subset of customers who were part of the incident were notified and provided with additional information and resources.

Blackbaud remained operational during this incident. Most customers who were part of the incident experienced no outages. A small number had intermittent availability or a disruption in service while the incident was remediated, according to a company official.

Blackbaud is the target of millions of cyberattacks each month, according to the company official. The firm during the past five years established a cybersecurity practice with a team of professionals. Independent reviewers have evaluated the program and determined that it exceeds benchmarks for both the financial and technology sectors.

“We follow industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure. We are also a member of various Cyber Security thought leadership organizations, including: The Cloud Security Alliance and Financial Services Information Sharing and Analysis Center (FS-ISAC), where we team up with other experts to share best practices and tactical threat information for the Cyber Security community,” said the spokesperson.

“While this sophisticated ransomware attack happened, we were able to shut it down and have no reason to believe this will result in any public disclosure of any of our customers’ data,” Blackbaud President and CEO Mike Gianoni told The NonProfit Times.

We have implemented additional measures to prevent this issue from happening again. We regret and apologize that this has caused unplanned effort for some of our customers as they process this information. We are partnering with the subset of customers who were part of this incident to make sure they are briefed and well supported,” Gianoni said.

Blackbaud is a publicly-traded company listed on the NASDAQ exchange, with a market cap of $2.7 billion on revenue of approximately $908.2 million. Its stock price opened at $54.39, down roughly 30.8 percent year to date. If the ransom paid is considered material to its financials, Blackbaud would have to disclose the amount in a Form 8-K filing with the Securities and Exchange Commission (SEC). The Blackbaud official said there would not be such a filing.

The Blackbaud incident is the second time this year a major provider to the nonprofit sector was hacked. MIP, owned by Community Brands, was the target of a ransomware attack on March 24. The firm declined to provide specifics regarding the attack, when it was discovered, how long ago the server might have been hacked or whether a ransom was paid. The hack also was to a non-cloud server system.


Editor’s note: This story has been updated to correct elements of the information on NASDAQ.