CyberGuide - Information Security and Cyber Risk Management

Blackbaud class action questions ransomware payment

This story first appeared in Advisen’s Cyber Front Page News. Learn how to subscribe to Cyber FPN.

By Erin Ayers, Advisen

A recent class action lawsuit against Blackbaud, a cloud software and services provider, questions the firm’s decision during a recent cyberattack to trust that paying a ransom would convince the cybercriminals to destroy a copy of exfiltrated data.

Blackbaud, which provides a wide variety of services to thousands of schools, healthcare organizations, churches, arts and cultural groups and other nonprofits around the world, said it “detected and stopped” the intrusion. However, the attackers managed to exfiltrate customer data before being ejected, the firm said.

“After discovering the attack, our cyber security team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system,” said the firm in a statement on its website.

The firm added, “Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or Social Security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

The class action lawsuit took specific aim at Blackbaud’s assurances that cybercriminals would comply, stating, “Defendant cannot reasonably maintain that the data thieves destroyed the subset copy simply because Defendant paid the ransom and the data thieves confirmed the copy was destroyed. In fact, the notices advise the affected individuals to monitor their own credit, suspicious account activity, and notify the school or non-profit of suspicious activity related to his or her credit. Despite this, Defendant has not offered any manner of redress.”

While the event was halted in May, the lawsuit states that the attack began in February 2020. Blackbaud notified clients in July and numerous affected organizations then had to notify their own customers of the breach, given the uncertainty over the compromised data.

The event illustrates the evolving impact of ransomware – in addition to attacks becoming a regular occurrence, more and more organizations face data exfiltration by cybercriminals to impel quicker payments. It also highlights the vast impact a cyberattack on one managed service provider can have on a constellation of downstream customers.

The exfiltrated data appears to vary by client, since many use Blackbaud for different services, but appears to be mainly name, address, contact information, and other non-financial information. The impact has been varied and widespread – Blackbaud customers include the Boy Scouts, several National Public Radio affiliates, the UK’s National Trust, scores of colleges and universities and charitable organizations. Some organizations notified customers that their contact information and donation history had been accessed. The class action lawsuit has demanded credit monitoring for affected customers that, given Blackbaud’s estimated 25,000 customers, may number in the millions.

Many of Blackbaud’s affected clients are in Europe, meaning the event is subject to the General Data Protection Regulation and Blackbaud’s delay in reporting the event to clients falls outside GDPR’s 72-hour reporting guidelines. Blackbaud has reported that it has insurance coverage for the event and doesn’t expect a “material financial impact.

The Blackbaud event will leave a “lasting impact on U.S. and international nonprofits,” according to the Identity Theft Resource Center. Even non-financial personal information can be useful to cybercriminals in social engineering and phishing scams.

“Employees of the nonprofit organizations impacted by the breach may receive emails that look like they are from an executive, in an attempt at spear phishing. Donors and members of the nonprofit organizations impacted by the Blackbaud data breach may receive messages asking to provide their personally identifiable information (PII) to update their contact or financial information, either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with,” said the ITRC in a blog post. Numerous articles on the breaches also note that many affected nonprofits have lost donors as result of the event, and that compromised donation details may give cybercriminals even more ammunition for a wide range of attacks.

Editor Erin Ayers can be reached at [email protected]