Blackbaud Data Security Incident

Blackbaud Data Security Incident

The information below relates to a data security incident involving Blackbaud, Inc., a third-party service provider of the Southern Arkansas University Foundation, Inc. Our organization takes our data protection responsibilities very seriously and enters into vendor relationships with this as a primary concern.

The Incident

On July 16, 2020, we were contacted by Blackbaud, one of the world’s largest providers of customer relationship management systems for nonprofit organizations and the higher education sector. Company representatives informed us that a ransomware attack was discovered in May 2020. The cybercriminal was unsuccessful in blocking system access and fully encrypting files and was ultimately expelled from their system. However, the cybercriminal was able to remove a copy of a subset of several of their clients’ data which included that of the Southern Arkansas University Foundation.

What information was involved?

A detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and third-party cyber security experts.

Blackbaud has confirmed that the investigation found that no encrypted information, such as social security numbers and bank account information, was accessible. Blackbaud also confirmed that no credit or debit card information was part of the data theft.

The Southern Arkansas University Foundation does not store credit card or debit card information. However, the data accessed by the cybercriminal in the Blackbaud database contained some of the following information:

• Public information such as name, title, date of birth, spouse;
• Address and contact information such as phone numbers and email addresses;
• Affiliation with Southern Arkansas University;
• Educational attainment.

What actions were taken by Blackbaud?

In addition to full cooperation with law enforcement and third-party experts, we have been informed by Blackbaud that in order to protect their customers’ data and mitigate potential identity theft, they paid the cybercriminal’s demand for confirmation that the copy of data removed from Blackbaud systems had been destroyed. Blackbaud has advised us that it received additional assurances of the destruction of data by third-party experts and has retained those experts to continually monitor the web for any potential misuse.

Steps we have taken in response

We immediately launched our own investigation and have taken the following steps:

• We are notifying affected constituents to make them aware of this breach of Blackbaud’s systems so they can remain vigilant;
• We are working with Blackbaud to understand why there was a delay between finding the breach and notifying us, as well as what actions Blackbaud has and is taking to increase its security;

Steps you can take in response

We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.

For your convenience, the contact information for credit agencies is below:

• Equifax:  https://www.equifax.com/personal/credit-report-services/ 800-685-1111
• Experian:  https://www.experian.com/help/ 888-397-3742
• Transunion: https://www.transunion.com/credit-help 888-909-8872

For more information

Blackbaud has issued a statement on their website regarding this incident. You can visit their site for more information. https://www.blackbaud.com/securityincident

For questions related to the security incident, contact Macy Braswell, Executive Director at macybraswell@saumag.edu or 870-235-4078.

Blackbaud Security Incident Frequently Asked Questions

The following are a list of frequently asked questions and answers that have been provided by Blackbaud, Inc.

What happened? Blackbaud discovered and stopped a ransomware attack. In a ransomware attack, cyber criminals attempt to disrupt a business by locking companies out of their own data and servers. After discovering the attack, their Cyber Security team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking their system access and fully encrypting files and ultimately expelled the cybercriminal from their system. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. The data set the cybercriminal was exposed to did not contain any credit card information. The cybercriminal did not access bank account information or social security numbers because they are encrypted. In accordance with regulatory requirements and in an abundance of caution, Blackbaud notified all organizations whose data was part of this incident and provided resources and tools to help assess this situation. Blackbaud has already implemented changes to prevent this specific issue from happening again.

Did Blackbaud pay the cybercriminal to contain the information they had? Yes, Blackbaud went to all appropriate measures to protect their customers’ data, which was their top priority in that situation. Blackbaud has no reason to believe that any data was or will be made available publicly. As a matter of fact, Blackbaud did not pay the ransom until they received assurance that the data was destroyed. As a precautionary measure, they have hired outside experts to monitor the dark web indefinitely, and they have found no evidence that any information was ever released.

How can Blackbaud be sure the information the cybercriminal exposed was contained and wasn’t sold online? Based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Their motivation was to disrupt Blackbaud’s business by encrypting customer files in their datacenters, which Blackbaud was able to prevent. Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure.

Why didn’t Blackbaud contact customers in May? Blackbaud detected the first indicator of compromise on May 14, 2020. The cybercriminal’s activity was contained and stopped by May 20, 2020. All traces of the cybercriminal and their attempt to regain access ceased by June 3, 2020, and Blackbaud could focus on assessing the extent of the damage to the system and to data. Blackbaud conducted its own damage assessment and received a revised statement of affected files from the cybercriminal on June 18, 2020. Blackbaud’s third-party forensic assessor provided an official report on June 25, 2020. By July 9, 2020, Blackbaud developed enough certainty on information exposed and customers affected that it could work toward notifications. Customer notifications were made on July 16, 2020. From the beginning of the incident to the end, the risk of information exposure did not increase. Data exposed to the cybercriminal was held and then destroyed by the cybercriminal after they were paid a negotiated amount to do so. Blackbaud and third parties, including law enforcement, have been monitoring the dark web and found no instances of the compromised data being released.