CRM Firm Admits Paying Ransom; Waited Weeks to Notify Victims Despite GDPR Rules
Numerous unanswered questions persist concerning a ransomware outbreak at Blackbaud, which provides cloud-based marketing, fundraising and customer relationship management software used by thousands of charities, universities, healthcare organizations and others.
South Carolina-based Blackbaud, publicly traded on NASDAQ, bills itself as being “the world’s leading cloud software company powering social good.” It says its customers include more than 25,000 organizations in more than 60 countries.
In a data breach notification posted on its website on July 16, Blackbaud says ransomware-wielding attackers managed to exfiltrate and encrypt customer data in May.
“After discovering the attack, our cybersecurity team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system,” it says. “Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.”
The breach notification predates the company’s second quarter earnings results, announced Wednesday, reporting total revenue of $232.0 million, up 2.8% from the second quarter of 2019.
But as of Wednesday, more than two months after the breach occurred and 10 days after the company posted its data breach notification, the company had filed no documents with the U.S. Securities and Exchange Commission to alert investors that it had suffered a data breach and ransomware infection and paid a ransom – of an undisclosed amount – to attackers (see: SEC Releases Updated Cybersecurity Guidance).
Despite the breach occurring in May, affected customers apparently were notified on or around July 16, when Blackbaud also published its breach notification.
GDPR’s 72-Hour Notification Requirement
The list of victims includes organizations in the European Union which, under the General Data Protection Regulation, requires that regulators be informed within 72 hours of any breach about the details of what happened and what was stolen. Regulators such as Britain’s Information Commissioner’s Office may then require the breached organization to alert affected customers.
As a data processor, Blackbaud would have been required to notify not just an EU data protection authority, such as the ICO, but also data controllers – its customers – within 72 hours of learning about the breach.
The company didn’t immediately respond to a request for comment about how many of its customers were affected, their identities, when they were all informed, when it alerted relevant regulators, as well as which strain of ransomware or gang that appeared to be involved.
But Blackbaud tells the BBC: “We take our regulatory responsibilities seriously and comply with GDPR at all times, including in this instance.”
The ICO didn’t immediately respond to a request for comment about when it first learned about the Blackbaud breach. The BBC, however, reports that the ICO wasn’t notified until weeks after the incident was discovered.
“Blackbaud has reported an incident affecting multiple data controllers to the ICO,” a spokesperson for the ICO tells the BBC. “We will be making inquiries to both Blackbaud and the respective controllers and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually.”
In terms of notifying both regulators as well as data controllers, meaning customers, Blackbaud’s delay clearly does not meet GDPR’s requirements.
“While the main obligation to report a data breach to the relevant data protection authority under GDPR – without undue delay and, where feasible, not later than 72 hours after having become aware of it – is on the data controller, the data processor also has an obligation to notify a data controller without undue delay after it becomes aware of a data breach,” attorney Jonathan Armstrong, a partner at London-based Cordery, tells Information Security Media Group. “Data controllers using Blackbaud will want to ask it why the report was delayed.”
In addition, he says this incident illustrates how “in most cases it is a myth that a ransomware attack need not be reported to a DPA,” and he expects EU regulators to “become more and more involved in the investigation of ransomware attacks.” He adds that “organizations must do all that they can to be prepared.” (See: Ransomware + Exfiltration + Leaks = Data Breach)
Victims Informed Weeks After Breach
One victim, Scotland’s University of Glasgow, said it first learned of the breach from Blackbaud on July 16. “The university has launched its own investigation and has contacted directly those who may have been affected. The university has also informed the Information Commissioner’s Office of the breach and is awaiting further guidance,” it says in its own data breach notification.
Exposed information included “web content and email messaging for alumni, donors and other contacts of the university,” it says. “We deeply regret the worry and inconvenience that this incident may have caused.”
Another victim was Australia’s University of Auckland, which says it’s informed regulators.
“The cybercriminal responsible was able to take copies of information belonging to a large number of universities and charities around the world … [including] information from the University of Auckland,” the university says it was told by Blackbaud. “Although the encrypted data included contact details and dates of birth as well as information regarding donations and engagement with the university, it did not include passwords or credit card details.”
Other organizations that have confirmed that their information was exposed in the attack include the University of Liverpool, the University of Manchester and the University of Newcastle in England; the Boys & Girls Clubs of Delaware; Cancer Research Institute in New York; Emerson College in Boston; and the University of Western Ontario, among many others, the BBC reports. “The problem is so widespread across the higher-education sector that some universities – including the University of Edinburgh and Aston University, Birmingham – have posted notices to say their data was not involved,” according to the BBC.
Blackbaud Paid Ransom
Blackbaud says it paid a ransom, of an undisclosed amount, to attackers in return for their promise to delete the stolen data. “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” it says. “Based on the nature of the incident, our research, and third-party – including law-enforcement – investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
While there is no law in the U.S. or UK against paying a ransom – provided funds don’t trace to cryptocurrency wallets tied to any known terrorist groups or other sanctioned entities – security and law enforcement experts recommend never paying a ransom to attackers because it directly funds further attacks and further legitimizes this type of crime as a viable, albeit illicit, business model (see: Ransom Demands: What Happens If Victims Pay or Don’t Pay?).
Cordery’s Armstrong says that with ransomware attacks on the increase, especially as the COVID-19 pandemic continues, organizations should consider whether they want to contractually prohibit service providers from paying ransoms. In addition, as part of doing due diligence before working with any provider, “you should make sure that the provider has adequate technical and organizational measures in place” to defend against ransomware attacks, he says.
Can Criminals Be Trusted?
Many users of Blackbaud’s software are involved in fundraising, including from individuals who have a large net worth. As a result, those individuals could now become fodder for ransomware attackers’ attention and attempted extortion in the form of threatening to leak information about individuals who fundraisers at universities and other organizations might be courting.
Blackbaud didn’t immediately respond to a request for comment to be put in contact with one of the third-party investigators with which it worked to help validate the company’s assertion that due to its attacker’s promises, it believes that none of the stolen data “was or will be misused” or “will be disseminated or otherwise made available publicly.”