DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Blackbaud Data Breach: Non-Profit Foundations (Part One)

Posted on October 7, 2020 by Dissent

Marco A. De Felice aka @amvinfe has begun a series of articles on the Blackbaud breach. He begins with Blackbaud’s initially inaccurate claims that no Social Security numbers, bank account data, or sensitive details had been accessed and exfiltrated. As most people know by now, Blackbaud had to issue an update to its original notification, but De Felice finds even that update inadequate. He writes, in part:

In at least one confirmed case within a non-profit organization, the Ransomware group also managed to exfiltrate the “driver’s license number” and the “government ID number” (driver’s license number and other government identification numbers).

That notification, by MacDowell, stated, in part:

Though Blackbaud typically stores this sensitive information in secure, encrypted fields, an oversight on Blackbaud’s part left certain fields that may contain these types of data unencrypted. MacDowell only became aware of this issue after the incident.

The MacDowell notification isn’t the only one to have pointed out inconsistencies between what Blackbaud had claimed and what entities found when they conducted their own investigations. SuspectFile provides additional reports from Shady Hill School and Scholarship America who also reported sensitive information had not been encrypted and had potentially been exfiltrated by the threat actors.

Some confusion and updating is to be expected in complex cases, especially since threat actors are generally good at covering their tracks.  But consider what happened with the Perez Art Museum of Miami (PAMM).  On September 5, they issued a notification that stated that on

August 26, PAMM learned that the attack may have exposed credit card and bank account information for certain customers and donors. Over the past month, PAMM has been working with Blackbaud and external professionals to learn more about the incident and the scope of information involved. Blackbaud has released an official statement at https://www.blackbaud.com/securityincident.

Yet the September 29th statement on Blackbaud’s site, issued one month after PAMM learned that bank account and credit card information of its donors may have been exposed, read:

The cybercriminal did not access credit cardholder data.
Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the incident. Customers who this applies to who we believe are using these fields for such information were contacted the week of September 27, 2020 and were provided with additional support.

So after more investigation, Blackbaud continued to maintain that credit cardholder data was not accessed. PAMM relied on Blackbaud’s statement and decided not to offer credit card monitoring services. Whether that was a smart decision remains to be seen.

The PAMM incident was not discussed in SuspectFile and is based on DataBreaches.net’s own research. Other examples that DataBreaches.net found in our own research into the Blackbaud breach:

ADRA International’s notification of September 29 stated:

The Blackbaud breach, discovered in May 2020, may have included personal data for some of our ADRA supporters including names, addresses, phone numbers, date of birth, giving history, credit card and bank account information.

The Latin School of Chicago’s August 12 notification stated:

The personal information that may have been accessed included: names, addresses, telephone numbers, Social Security Numbers, and information relating to the individual’s relationship with Latin, such as their philanthropic giving history. Blackbaud generally encrypts sensitive information such as Social Security Number, credit card numbers, or financial account information entered on its systems. However, Latin later discovered that Blackbaud does not encrypt uploaded forms to its systems that may contain such information, and it subsequently determined that some forms containing Social Security Numbers were uploaded to Blackbaud’s systems.

Ball State’s own investigation also appeared to conflict somewhat with Blackbaud’s claims. Their September 18th notification stated, in part:

Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers and bank account information or passwords, was obtained by the cybercriminals. Blackbaud also confirmed that no credit or debit card information was part of the data theft. Furthermore, as best practice Ball State Foundation does not store credit card information or Social Security numbers in its system. However, our independent analysis has concluded that the cybercriminals may have accessed files which contained your Social Security Number/Tax ID Number.

So Ball State does not store SSN in its system but the cybercriminals may have accessed files that contained SSNs? Huh?

And on September 14, St. Bonaventure University also notified their donors that based on their own investigation, donors’ name, bank account number, and routing number were potentially impacted.

The examples described above and the Shady Hill, Scholarship America, and MacDowell notifications were all retrieved from submissions to the New Hampshire Attorney General’s Office. A more complete search involving submissions to other states would undoubtedly turn up more examples.

One point a number of entities have made in their notifications is that as part of their incident response, Blackbaud has hired firms to search the dark web for any signs of any data from Blackbaud. So far, none has been found, and that searching will presumably continue.

But DeFelice has something else that he is looking into — whether other entities were also caught up in the Blackbaud breach but never identified as such. You can read his hypotheses on SuspectFile.


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • North Country Healthcare responds to Stormous's claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • 70% of healthcare cyberattacks result in delayed patient care, report finds
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases
Category: Commentaries and AnalysesSubcontractor

Post navigation

← MS: AAA Ambulance Service experienced ransomware attack
Medical data of 150 Toronto hospital patients allegedly used to extort money from company →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack
  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
  • #StopRansomware: Interlock
  • Suspected XSS Forum Admin Arrested in Ukraine
  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Hungarian police arrest suspect in cyberattacks on independent media
  • Two more entities have folded after ransomware attacks
  • British institutions to be banned from paying ransoms to Russian hackers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling
  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.