Software Vendor ‘Normalizes Hacking,’ Fails to Account for Notification Delay
How many different shades of bizarre is the data breach notification issued by Blackbaud?
Breach victims employing maximum marketing spin is nothing new. But over the course of three paragraphs, the South Carolina-based vendor of marketing, fundraising and customer relationship management software attempts to set its culpability to nil, congratulates itself for having an amazing cybersecurity team and says that because it cares so much for its customers, it paid an undisclosed ransom to attackers to delete stolen data (see: Questions Persist About Ransomware Attack on Blackbaud).
“The entire first paragraph is dedicated to normalizing hacking”
The problems start from the beginning: “The cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time – a threat to all companies around the world,” it begins. “Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert cybersecurity team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry.” (Except, of course, when it doesn’t.)
So for starters, thank you Blackbaud, for that unsolicited thesis on online crime – really, who wouldn’t blame market forces? – before sliding ever so smoothly to mention “a particular security incident that recently occurred.” To whom, you ask, might that have been?
Bonus points: “The entire first paragraph is dedicated to normalizing hacking: ‘All the other kids are dealing with hackers too,'” as noted via Twitter by Australian data breach expert Troy Hunt, who runs the free Have I Been Pwned breach-notification service.
‘Protecting Our Customers’ Data is Our Top Priority’
After the first paragraph, things get even stranger: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy [of customer data] they removed had been destroyed,” Blackbaud states.
So extortionists successfully exfiltrated data for an untold number of customers and have super-promised – “on my honor!” – to delete the stolen data, having received their bitcoin payoff.
And Blackbaud has packaged all of this up in a July 16 blog post titled: “Learn more about the ransomware attack we recently stopped,” which alone is glaring for the fact that Blackbaud claims to have stopped the attack literally because it paid attackers for their promise to do so.
As the Brits say: “Are you having a laugh?”
GDPR’s 72-Hour Notification Rule
Speaking of Britain, organizations that store or process Europeans’ data must comply with the EU’s General Data Protection Regulation. GDPR stipulates that organizations that suffer a data breach that may have exposed Europeans’ personal details must notify an EU data protection authority, such as Britain’s Information Commissioner’s Office; and any data controllers within 72 hours, including relaying details of what happened, when and how. In the case of Blackbaud, per GDPR it’s a data processor, processing data on behalf of its customers, who are the data controllers. In the event of a breach, both must potentially notify regulators.
Blackbaud has told the BBC: “We take our regulatory responsibilities seriously and comply with GDPR at all times, including in this instance.”
Yet Blackbaud says it discovered the breach in May, and customers say they weren’t notified until July 16.
Under GDPR, EU data protection authorities, including the ICO, can fine organizations up to 4 percent of their annual global revenue or €20 million ($23.7 million) – whichever is greater – if they violate Europeans’ privacy rights, for example, by failing to secure their personal data. Separately, organizations that fail to comply with GDPR’s reporting requirements also face fines of up to €10 million ($11.8 million) or 2 percent of annual global revenue. Regulators can also withdraw an organization’s ability to process Europeans’ personal data.
Many customers of Blackbaud – charities, universities, healthcare organizations and others – have come forward to say they were victims. Those educational institutions include England’s University of Manchester, Australia’s University of Auckland, Emerson College in Boston, Canada’s University of Western Ontario, National University of Ireland in Galway and New Zealand’s University of Auckland. “And internationally, museums, schools, churches and food banks have also been affected,” BBC reports. Another victim, ITV reports, is Britain’s Labour party, which says that confidential information about donors – including their personal views – was exposed.
— Troy Hunt (@troyhunt) July 30, 2020
What Blackbaud Doesn’t Say
Left unsaid in Blackbaud’s breach notification are answers to numerous, pertinent questions, all of which I’ve posed to the software provider (and will update this post if I hear back):
- How big was the breach? Blackbaud won’t say, except to note that it involved a “subset” of its approximately 25,000 customers, adding that all victims have been directly notified. In Britain, the ICO tells the BBC that 125 U.K.-based organizations have already filed data controller breach notifications “so far” on the heels of the July 16 notification from Blackbaud, while 33 charities have reported the breach to the U.K.’s Charities Commission.
- Why the weeks-long notification delay? The ICO says it will be questioning Blackbaud and its customers. Potential fines could be forthcoming, not just because of the notification delay, but also if the regulator’s probe finds Blackbaud’s security defenses weren’t sufficiently robust.
- Why trust attackers? Blackbaud says it thinks paying off attackers has made them go away. “Based on the nature of the incident, our research, and third-party – including law enforcement – investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” it says. That’s quite a belief. So I’ve asked Blackbaud to put me in touch with any of the third-party firms with which it worked to hear why they think the attacker should be trusted to honor such a promise.
- Is Blackbaud’s cybersecurity good enough? “Over the last five years, we have built a substantial cybersecurity practice with a dedicated team of professionals,” Blackbaud’s self-congratulatory breach notification states. “We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again.” In other words, an attacker found a vulnerability and exploited it. Of course, every organization can suffer a breach, even if it has great policies, procedures and defenses in place – such as happened with Danish shipping giant Maersk during the NotPetya outbreak. But was Blackbaud’s security Maersk-class? Expect the ICO’s probe to ascertain that.
- Exactly how did attackers gain network access? Attackers were able to gain remote access to Blackbaud’s systems, exfiltrate data and encrypt backup files. Blackbaud says it stopped the attack from getting any worse than that, but hasn’t offered any details on which gang or strain of ransomware might have been used against it, how they got in, or how they were able to exfiltrate so much data undetected. Expect an ICO probe to shed light on what happened.
- Why would thieves honor promises? Some customers of Blackbaud actively raise funds from individuals who have a high net worth. And some victim organizations have told the BBC that exposed donor information included these individuals’ names, ages, addresses, estimated wealth and assets, history of philanthropic giving, information on their spouses and the total value of past donations they’ve made to an organization. (Blackbaud says no payment card or account information was exposed.) For fraudsters, such details could be a potential goldmine; they could try to shake down these individuals for a ransom payment in return for not dumping the data.
- Has Blackbaud painted a target on its back? Organizations that pay a ransom make themselves a target. Sometimes the same gang makes a return, or it turns out that it was never successfully ejected from the network in the first place (see: 8 Tips for Crafting Ransomware Defenses and Responses). Or other groups might come calling, as happened with Australian shipping giant Toll Group, which suffered two ransomware hits in less than six months, first getting infected by Mailto ransomware – aka Netwalker – and later by attackers wielding Nefilim. Will Blackbaud suffer a similar fate?
Those are just some of the questions outstanding from Blackbaud’s initial data breach notification. What might the next installment hold?