Marco A. De Felice aka @amvinfe has begun a series of articles on the Blackbaud breach. He begins with Blackbaud’s initially inaccurate claims that no Social Security numbers, bank account data, or sensitive details had been accessed and exfiltrated. As most people know by now, Blackbaud had to issue an update to its original notification, but De Felice finds even that update inadequate. He writes, in part:
In at least one confirmed case within a non-profit organization, the Ransomware group also managed to exfiltrate the “driver’s license number” and the “government ID number” (driver’s license number and other government identification numbers).
That notification, by MacDowell, stated, in part:
Though Blackbaud typically stores this sensitive information in secure, encrypted fields, an oversight on Blackbaud’s part left certain fields that may contain these types of data unencrypted. MacDowell only became aware of this issue after the incident.
The MacDowell notification isn’t the only one to have pointed out inconsistencies between what Blackbaud had claimed and what entities found when they conducted their own investigations. SuspectFile provides additional reports from Shady Hill School and Scholarship America who also reported sensitive information had not been encrypted and had potentially been exfiltrated by the threat actors.
Some confusion and updating is to be expected in complex cases, especially since threat actors are generally good at covering their tracks. But consider what happened with the Perez Art Museum of Miami (PAMM). On September 5, they issued a notification that stated that on
August 26, PAMM learned that the attack may have exposed credit card and bank account information for certain customers and donors. Over the past month, PAMM has been working with Blackbaud and external professionals to learn more about the incident and the scope of information involved. Blackbaud has released an official statement at https://www.blackbaud.com/securityincident.
Yet the September 29th statement on Blackbaud’s site, issued one month after PAMM learned that bank account and credit card information of its donors may have been exposed, read:
The cybercriminal did not access credit cardholder data.
Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the incident. Customers who this applies to who we believe are using these fields for such information were contacted the week of September 27, 2020 and were provided with additional support.
So after more investigation, Blackbaud continued to maintain that credit cardholder data was not accessed. PAMM relied on Blackbaud’s statement and decided not to offer credit card monitoring services. Whether that was a smart decision remains to be seen.
The PAMM incident was not discussed in SuspectFile and is based on DataBreaches.net’s own research. Other examples that DataBreaches.net found in our own research into the Blackbaud breach:
ADRA International’s notification of September 29 stated:
The Blackbaud breach, discovered in May 2020, may have included personal data for some of our ADRA supporters including names, addresses, phone numbers, date of birth, giving history, credit card and bank account information.
The Latin School of Chicago’s August 12 notification stated:
The personal information that may have been accessed included: names, addresses, telephone numbers, Social Security Numbers, and information relating to the individual’s relationship with Latin, such as their philanthropic giving history. Blackbaud generally encrypts sensitive information such as Social Security Number, credit card numbers, or financial account information entered on its systems. However, Latin later discovered that Blackbaud does not encrypt uploaded forms to its systems that may contain such information, and it subsequently determined that some forms containing Social Security Numbers were uploaded to Blackbaud’s systems.
Ball State’s own investigation also appeared to conflict somewhat with Blackbaud’s claims. Their September 18th notification stated, in part:
Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers and bank account information or passwords, was obtained by the cybercriminals. Blackbaud also confirmed that no credit or debit card information was part of the data theft. Furthermore, as best practice Ball State Foundation does not store credit card information or Social Security numbers in its system. However, our independent analysis has concluded that the cybercriminals may have accessed files which contained your Social Security Number/Tax ID Number.
So Ball State does not store SSN in its system but the cybercriminals may have accessed files that contained SSNs? Huh?
And on September 14, St. Bonaventure University also notified their donors that based on their own investigation, donors’ name, bank account number, and routing number were potentially impacted.
The examples described above and the Shady Hill, Scholarship America, and MacDowell notifications were all retrieved from submissions to the New Hampshire Attorney General’s Office. A more complete search involving submissions to other states would undoubtedly turn up more examples.
One point a number of entities have made in their notifications is that as part of their incident response, Blackbaud has hired firms to search the dark web for any signs of any data from Blackbaud. So far, none has been found, and that searching will presumably continue.
But DeFelice has something else that he is looking into — whether other entities were also caught up in the Blackbaud breach but never identified as such. You can read his hypotheses on SuspectFile.