The Blackbaud Breach
In July of this year, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of administration, fundraising, and financial management software, notified its clients that it had discovered and stopped a ransomware attack. In a public statement, Blackbaud described the attack:
In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. . . . Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. . . . The subset of customers who were part of this incident have been notified and supplied with additional information and resources.
Since its July announcement, nonprofit organizations throughout the world have issued their own notices of breach to their stakeholders, relying in large part on Blackbaud’s description of the breach.
Key Takeaways from the Breach
While data breaches are an almost daily occurrence, the Blackbaud breach is notable for a couple of reasons. First, even though it was able to prevent the ransomware attack, the cybercriminal exfiltrated unencrypted data from Blackbaud’s servers, in reaction to which Blackbaud elected to pay a ransom for the criminal’s agreement to destroy the data – given the reliability of criminals, a somewhat dubious promise. The response indicates that Blackbaud was threatened with a new, but increasingly common, tactic in ransomware attacks – the cybercriminal will couple a ransomware attack with theft of data, and threaten to make the data public unless it receives payment. As more and more companies are able to reconstruct compromised systems through backups and other means, cybercriminals have found a new way to monetize their attacks.
More importantly, the fact that this breach created a waterfall of breach disclosures reflects the impact of vendors on today’s data environment. Blackbaud provides comprehensive data, financial management, fundraising, payment, and other services to schools, museums, faith communities, foundations, healthcare organizations and nonprofit organizations, and those entities rely on Blackbaud for critical functions that are essential to their missions.
The Role of Vendors
Firms increasingly rely on vendors for data management functions. The 2018 Ponemon Institute survey of data breaches reported that that at least 56% percent of organizations participating in the survey experienced a data breach due to a vendor’s security shortcomings. At the same time, companies are increasingly reliant on vendors – a recent Bomgar survey reported that, on average, companies allow 89 vendors to access their networks weekly, and that 71% of respondents expect to become more reliant on third parties in the coming years. Continue reading