A cloud-based provider of services for nonprofits, schools, healthcare organizations, faith communities, arts groups and corporations in five countries says data stolen in a ransomware attack four months ago may have included unencrypted customer information.
Blackbaud Inc. made the admission earlier this week in a filing with the U.S. Securities and Exchange Commission.
The incident was disclosed in July, with the South Carolina-based company saying a ransomware attack was discovered and stopped. Before locking the attackers out, a copy or part of Blackbaud’s private cloud data was transferred. It was thought Blackbaud had encrypted all that data.
However, according to the Sept. 29 filing, the company later realized that some fields were unencrypted and may have contained bank account information, social security numbers, usernames and/or passwords of customers’ users. Those customers who were using those fields began being notified Sept. 27.
Blackbaud’s customers in Canada include War Child Canada, the Evangelical Free Chuch of Canada, the Montreal General Hospital Foundation, Vancouver’s Mulgrave School, and Western University in London, Ont.
A spokesperson for Montreal General Hospital Foundation said Friday that it has been told no personal information it has has been exposed.
Western uses Blackbaud’s customer relationship management product to manage alumni, donor, and organization data, and to communicate with various members of its community. On July 24th it acknowledged it had been victimized in the hack. At that time it said data accessed by the cybercriminal may have contained names, dates of birth, contact information, donations or engagement with the university. In an email Friday a spokesperson for the university said it hasn’t been notified that it was among the organizations impacted by Blackbaud’s most recent discovery.
Blackbaud is refusing to identify how many Canadian customers have been notified about their stolen data. “We aren’t disclosing the total number of customers (or any segment) involved in the incident,” the company said in a statement Thursday to IT World Canada. “However, the majority of Blackbaud’s global customers were not involved in any way. And our investigation shows that this new information we communicated yesterday (Sept. 29) applies to only some of the customers who were notified on July 16.
“To respect the privacy of our customers, we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically. Those customers which were part of this incident have been notified.”
In July, the BBC named 20 organizations in Canada, the U.K. and the U.S. whose customers had personal information stolen, including Toronto’s Bishop Strachan School, a high school; and Calgary’s Ambrose University.
In some cases, the BBC said at the time — before the most recent revelation — that personal details were limited to those of former students, who had been asked to financially support the establishments from which they had graduated. But in other cases, it extended to staff, existing students and other supporters. But some stolen data included phone numbers, donation history and events attended by individuals.
Blackbaud paid the attacker’s ransom demand, saying it got confirmation that the copy they removed had been destroyed. “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” the company said in a statement on its website.
Blackbaud’s products include solutions for fundraising and customer relationship management, marketing, advocacy, peer-to-peer fundraising, corporate social responsibility, school management, ticketing, grantmaking, financial management, payment processing and analytics. It has customers in the United States, Australia, Canada, Costa Rica and the United Kingdom.
The company statement says the ransomware and data theft involved part of its private cloud. The incident didn’t involve solutions in its public cloud environment (Microsoft Azure, Amazon Web Services), nor its Merchant Services payment service. No entire product line or private cloud data centre was part of the incident, which means that how one customer was involved may not be the same as another, the company explained.
Publicly-traded Blackbaud has 3,400 employees around the world. According to an annual report filed in February, it had US$900 million in revenue during 2019 and a net income of $11.9 million.
(This story has been updated from the original to include comments from Western University)