Donors to the Vermont Food Bank didn’t rain email and phone calls down upon the organization when they found out data in the charity’s fundraising software had been hacked at technology provider Blackbaud and was part of a ransomware threat. The food bank’s leaders, however, weren’t as sanguine.
Donors have been “very supportive overall,” said Allison Mindel, chief philanthropy officer at the foodbank system headquartered in Barre, Vt. “People said they were so sorry this happened right now,” given the pandemic. “Cyberattacks are part of the world we live in now,” Mindel said.
The organization’s leaders have hired a law firm to investigate and protect its interests, that of donors and of the 215 network partners. The Vermont Food Back is not alone. Prominent organizations such as Planned Parenthood, the George W. Bush Presidential Center, Vermont Public Radio, the Rhode Island School of Design and Human Rights Watch have acknowledged notices from Blackbaud.
Blackbaud began telling users of a system breach on July 16, as reported on The NonProfit Times website. What has many Blackbaud users unhappy is that the attack happened on Feb. 7, went undetected until May 14, and users were not notified until July.
Blackbaud has been careful with what it has released regarding the data breach. Mindel said she reached out to the food bank’s Blackbaud representative and was “directed to online resources.” She is not sure what has happened to the organization’s stolen data, other than an assurance from Blackbaud that the thieves have destroyed the stolen data.
The timing was also a challenge for Blackbaud. Senior officials at the tech firm spoke with The NonProfit Times on the record with the agreement they would only be identified as spokespeople and that only comments from Todd Lant, chief information officer, be directly attributable. Interviews were also conducted with independent technology experts and officials at organizations alerted that data might have been accessed.
The first time anyone at Blackbaud knew there was a problem was May 14 when there was a suspicious log-in on an internal server. The officials said the entrance was through a data center server and did not get to its cloud operations. The cybercriminals were able to remove a copy of a subset of data from Blackbaud’s self-hosted environment. Credit card information, bank account information, or Social Security numbers were not stolen, according to the spokesperson.
“The attack was sophisticated enough that it initially looked like legitimate customer activity. When it escalated, the attack evaded our endpoint detection, intrusion prevention, and monitoring processes,” one official explained. It was eventually tracked back to the Feb. 7 date.
“As the criminal began expanding into our systems, our cyber security team, together with independent forensics experts and law enforcement, successfully prevented the cybercriminal from blocking our system access and fully encrypting files,” the official said.
“We recreated the issue internally and tested via third-party, independent firms that our remediation efforts worked at preventing a recurrence. Unfortunately, this vulnerability, despite extensive and ongoing testing by us and third-party experts, was undetected until this incident,” a Blackbaud official said.
All traces of the cybercriminal and their attempt to regain access ceased by June 3, according to a timeline provided by a Blackbaud official. That’s when assessing the extent of the damage to the system and to data became more of the focus.
The cybercriminal continued to contact Blackbaud with the Bitcoin ransom demand and provided on June 18 what was purported to be a statement of involved files. A third-party forensic assessor provided an official report to Blackbaud on June 25. That’s when a detailed analysis was begun to correlate the forensic data with customer and product lists to determine and re-confirm all instances of any customer being part of the incident and which product was used by the client.
Blackbaud developed enough certainty on information exposed and customers involved that it could work toward notifications by July 9. Customer notifications were made on July 16. “Between July 9 and July 16, our teams were working around the clock to prepare contact data, author customized, scenario specific communications for each customer that was part of the incident,” a Blackbaud official said. Communication systems (phone lines, email systems, etc.), had to be aligned with people trained to answer incoming questions.
“At first glance, the high-level timeline may cause some customers to question the expedience of our response,” an official said. “An investigation and detailed forensic analysis was needed in order to be able to confirm the scope of the incident, to pinpoint which customers were involved and also how they were involved. And our top priority was to stop the cybercriminal and expel them from our system, which was also part of the timeline.
“Because the vulnerability was fixed and tested by third parties, we confirmed that the issue had been remediated and the risk of information exposure did not increase during the time period from when our investigation started to when we notified customers. It is quite common in the industry for this sort of investigation to take a few months as in our case, or — in many cases with other providers — much longer prior to notification. We truly went as fast as we could,” the official said.
Details of that testing, how the ransom was paid, and how much, were not made available. Blackbaud is working with the Columbia, S.C., bureau of the FBI. A spokesman for the FBI declined to acknowledge there is an investigation but did not deny one is ongoing. There have been no reports filed with the Charleston or Mount Pleasant, S.C., police departments. No arrests have been announced.
“We value every social good organization that is part of the Blackbaud family, and we sincerely apologize to our customers for the disruption this caused. Our cybersecurity team stopped this sophisticated ransomware attack before the criminal could lock down our network, but this understandably created concern for customers who were part of the incident as they worked to understand and navigate the details,” said Lant.
“We have implemented additional measures to prevent this from happening again and are working closely with law enforcement. We are taking this very seriously and will continue to work with every customer who has questions or needs additional support,” he said.
Officials declined to say how many nonprofit accounts might have been accessed during the time the intruder was undetected. Various media outlets and regulatory agencies have cited hundreds of reports. In the United Kingdom, for example, there have been 125 reports to the Information Commissioner’s Office, which monitors data issues.
“People have the right to expect that organisations will handle their personal information securely and responsibly. The cloud software company Blackbaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services and we are making enquiries,” Rashana Vigerstaff, lead communications officer at the IOC, wrote in an email response to The NonProfit Times.
“Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied,” said Vigerstaff via the email.
One such organization is the University of York in Heslington, York, U.K. “We believe the ransomware attack involved a number of Blackbaud’s U.K. and U.S. healthcare, educational and not-for-profit clients,” according to a statement from the school provided by Alistair Keely, the school’s head of media relations.
“We take data protection obligations extremely seriously and have launched our own investigation, providing information for those affected which outlines the steps we are taking in response. The third-party supplier, Blackbaud, has confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible. Under our GDPR obligations we have made a formal report to the Information Commissioner’s Office,” according to the statement provided by Keely.
General Data Protection Regulation (GDPR) in the U.K. requires firms report a significant data breach within 72 hours of finding the intrusion, although the rules do not define “significant.”
In the United States, Middlebury College alerted donors its information was accessed, said Julia Ferrante, associate vice president for public affairs. In a message to donors, Middlebury officials wrote: “It is important to note that the cybercriminal did not access your Social Security number and credit card numbers because Middlebury does not store this information in the database. However, we have determined that the compromised file may have contained demographic data and information pertaining to your relationship with Middlebury, including philanthropic giving history.”
Cyber experts question whether Blackbaud can guarantee the data has been destroyed. “The reality is that companies in this position are paying for nothing more than a pinky promise from a bad faith actor,” said Brett Callow, a threat analyst with cybersecurity firm EMSISOFT. “Whether ransomware groups do actually destroy the stolen data upon the ransom demand being paid is something only they know. I suspect, however, that they do not. Why would a criminal enterprise destroy data that it may be able to use or further monetize?”
Jacqueline Tiso, founder of JMT Consulting in Patterson, N.Y., cited pros and cons of paying a ransom and timing. If software firms “have insurance and can afford to pay the ransom without material data loss, I think that’s the ideal scenario. But, it would be naive to believe you can be back in business immediately even after you’ve paid up,” said Tisa. “The amount of forensic work necessary to ensure that systems are no longer infected, data hasn’t been compromised, and getting to a position to credibly issue a breach report requires a massive effort and significant time and cost.”
Blackbaud officials acknowledged the skepticism and said the firm has cyber insurance coverage.
“We are aware of some third parties questioning or speculating about our engagement on various levels with the cybercriminal. However, those third parties were not part of our investigation and they are not privy to the details and discussions that took place with experts as we evaluated the options,” the Blackbaud official said. “We respect that there may be differences of opinion, but our top priority was to ensure our customers’ data was protected and we did everything possible to ensure the information was destroyed.”
Blackbaud hired outside experts to monitor the dark web. The official said that no instance of the information being available has yet been found and that the firm will continue to monitor the dark web indefinitely.
Blackbaud is the target of numerous cyberattacks each month, according to a company official. The firm during the past five years established a cybersecurity practice with a team of professionals.
“We follow industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure. We are also a member of various Cyber Security thought leadership organizations, including: The Cloud Security Alliance and Financial Services Information Sharing and Analysis Center (FS-ISAC), where we team up with other experts to share best practices and tactical threat information for the Cyber Security community,” said an official when the hack first was acknowledged in July.
Depending on who is counting, Blackbaud is one of, if not the largest, technology company in the nonprofit software and technology silo. While firms such as Microsoft, Salesforce and NetSuite are significantly larger and have a substantial presence in the nonprofit space, it is not the sole user base for those firms. At the end of 2019, Blackbaud reported 45,000 nonprofit and government customers in 100 countries.
The fallout has not impacted Blackbaud’s stock, which is listed on the NASDAQ exchange. Blackbaud opened today at $64.71 per share, up $10.32 since the July 16 alert of the hack but still $32.64 off its 52-week high. Its market capitalization is $3.2 billion on reported revenue of $908 million. While Blackbaud declined to disclose the ransom amount paid, being a public company Blackbaud would have had to report the amount to the Securities and Exchange Commission (SEC) had the payment been material to its financial position. No such 8-K filing has been made.