1. Blackbaud Data Security Incident

Blackbaud Data Security Incident

The Incident

As you may know, The Our Lady of the Lake Foundation holds and manages philanthropic funds for the University in accordance with a signed agreement. Recently, we were informed by the Foundation that their third-party software service provider, Blackbaud, had been the victim of a ransomware attack. Blackbaud is one of the world’s largest cloud software and data management companies, used widely by thousands of not-for-profit organizations and universities. The Foundation uses Blackbaud’s software to manage their donor database.

We are providing information about this data security event that may have involved our donors’ personal information now that we have finalized our own review of Blackbaud’s report to us.

What Happened

Blackbaud informed the Foundation in mid-July that they discovered and stopped a ransomware attack in May 2020. The cybercriminal was unsuccessful in blocking system access and fully encrypting files and was ultimately expelled from their system. However, prior to expulsion, the cybercriminal was able to remove a copy of a subset of several of their clients' data, which included our organization.

What Information Was Involved

We would like to reassure our constituents that a detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and third-party cyber security experts.

Blackbaud has confirmed through its cyber security experts, independent forensics experts, and law enforcement investigations that the cybercriminals did not access credit card information, bank account information, or social security numbers. Franciscan Missionaries of Our Lady University never receives social security numbers, and debit or credit card information is securely encrypted. However, the back-up file removed by the attackers through Blackbaud may have contained individual contact information such as names and addresses.

What Steps did Blackbaud Take

In order to protect their customers’ data, Blackbaud paid the cybercriminal’s demand with confirmation that the copy of the removed files had been destroyed. Since the cyber-attack was stopped and data destroyed, Blackbaud and law enforcement have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

Blackbaud has advised us that it received additional assurances of the destruction of data by third-party experts and has retained those experts to continually monitor the web for any potential misuse.

What We Are Doing:

This cybercrime was in no way related to any type of security vulnerability within our organization. Though our organization was not the focus of this attack, we do take these incidents very seriously and share your concerns.

The Our Lady of the Lake Foundation immediately launched their own review and have taken the following steps:

  • Our Lady of the Lake Foundation and FranU are notifying affected donors to make them aware of this breach of Blackbaud's systems so they can remain vigilant;
  • Working with Blackbaud to understand why there was a delay between finding the breach and notifying us, as well as what actions Blackbaud has and is taking to increase its security and prevent future attacks;
  • Taking steps to learn exactly how many other parties in the not-for-profit sector have been affected;

We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.

Please be assured that we are grateful stewards of your generous support, and if you have any questions or concerns, I encourage you to contact us at advancement@franu.edu.

Blackbaud Security Incident Frequently Asked Questions

The following are a list of frequently asked questions and answers that have been provided by Blackbaud, Inc., for more clarification.

What happened?

Blackbaud discovered and stopped a ransomware attack. In a ransomware attack, cyber criminals attempt to disrupt business by locking companies out of their own data and servers. After discovering the attack, their Cyber Security team - together with independent forensics experts and law enforcement - successfully prevented the cybercriminal from blocking their system access and fully encrypting files and ultimately expelled the cybercriminal from their system. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. The data set the cybercriminal was exposed to did not contain any credit card information. The cybercriminal did not access bank account information or social security numbers because they are encrypted. In accordance with regulatory requirements and in an abundance of caution, Blackbaud notified all organizations whose data was part of this incident and provided resources and tools to help assess this situation. Blackbaud has already implemented changes to prevent this specific issue from happening again.

Did Blackbaud pay the cybercriminal to contain the information they had?

Yes, Blackbaud went to all appropriate measures to protect their customers' data, which was their top priority in that situation. Blackbaud has no reason to believe that any data was or will be made available publicly. As a matter of fact, Blackbaud did not pay the ransom until they received assurance that the data was destroyed. As a precautionary measure, they have hired outside experts to monitor the dark web indefinitely, and they have found no evidence that any information was ever released.

How can Blackbaud be sure the information the cybercriminal was exposed to is contained and wasn't sold online?

Based on the nature of the incident, Blackbaud's research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Their motivation was to disrupt Blackbaud's business by encrypting customer files in their data centers, which Blackbaud was able to prevent. Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure.

Why didn't Blackbaud contact customers in May?

Blackbaud detected the first indicator of compromise on May 14, 2020. The cybercriminal's activity was contained and stopped by May 20, 2020. All traces of the cybercriminal and their attempt to regain access ceased by June 3, 2020, and Blackbaud could focus on assessing the extent of the damage to the system and to data. Blackbaud conducted its own damage assessment and received a revised statement of affected files from the cybercriminal on June 18, 2020. Blackbaud's third-party forensic assessor provided an official report on June 25, 2020. By July 9, 2020, Blackbaud developed enough certainty on the information exposed, and customers affected that it could work toward notifications. Customer notifications were made on July 16, 2020. From the beginning of the incident to the end, the risk of information exposure did not increase. Data exposed to the cybercriminal was held and then destroyed by the cybercriminal after they were paid a negotiated amount to do so. Blackbaud and third parties, including law enforcement, have been monitoring the dark web and found no instances of the compromised data being released.