Blackbaud Hack Sparks Identity Theft Fears

essidsolutions

When cloud provider Blackbaud’s systems was struck with ransomware attack, it decided the smartest approach was to pay the ransom. The incident sparked widespread identity theft concerns when it was found out that hackers stole a subset of Blackbaud customer data and threatened to release it online. Some of the victims include non-profits, universities and healthcare organizations. 

Blackbaud, a cloud computing company, was reportedly the target of a ransomware attack that affected universities and several non-profits. A leading provider of cloud software for nonprofits, higher education institutions, K–12 schools, healthcare organizations and faith communities and cultural organizations, the U.S. based company suffered a security incidentOpens a new window in May 2020.  The attack was aimed at a total service disruption by access blocking and file encryption, as is the case in typical ransomware incidents. 

 Those affected by the ransomware attack include:

  • Universities and education institutions: University of York, University College Oxford, the University of London, University of Leeds, University of Exeter, Ambrose University (Canada), the Rhode Island School of Design, Oklahoma State UniversityOpens a new window among others 
  • National Trust (a charity and membership organisation for heritage conservation)
  • Non-profits: the Urology Foundation, Action on Addiction, the Choir with No Name, Maccabi GB, Sue Ryder
  • Human Rights Watch
  • Young Minds (mental health charity), and more.

Data such as name, date of birth, gender, address and contact details, all of which can amount to identity theft was reportedlyOpens a new window compromised. According to reportsOpens a new window , data from academic circles, extracurricular activities, profession, and employer was also hacked, which is a reason for concern.

Blackbaud notified affected organizations in July, which in turn in adviced relevant parties on the course of action. ESETOpens a new window obtained a screengrab of an email from University of York to its community members. 

Source: ESET

See Also: ESET Report Finds Android Crypto Ransomware Spreading Through Contact Tracing App

Matt Aldridge, Principal Solutions Architect at Webroot, told ComputerWeeklyOpens a new window , “Cyber criminals are becoming more inventive in the types of data and businesses they target, and no company is beyond a cyber criminal’s reach. Large service providers are clearly now prime targets, with the wealth of valuable personal data they hold on behalf of clients.”

While the University of York and National Trust suggested no actions need to be taken at the user level (students, volunteers etc), it is clear that organizations need to deploy robust cybersecurity measures like threat intelligence technologies and train employees and users to detect signs of malicious activity.

Those victimized by this attack especially need to keep a look out for the looming risk of identity fraud, which can affect large and small organizations alike.  Blackbaud explained that their cybersecurity team, along with independent forensics experts and law enforcement managed to thwart the full scope of the attack. But the hackers did get their hands on a copy of a subset of data from Blackbaud’s self-hosted environment. However, the company revealsOpens a new window this did not include sensitive data like credit card, bank account information or social security numbers.

Following this, the company paid the ransom demanded in exchange for the destruction of the copy, citing the importance of “protecting our customers’ data” as their top priority. Some factions from the cybersecurity sphere might be at odds with Blackbaud’s course of action that involved the payment of ransom since it can exhibit weakness. In Blackbaud’s case, a clear picture is unavailable, though it’s clear that the company did manage to keep the threat actors at bay, with only a fraction or ‘subset’ of its data being held as ransom. So, was Blackbaud’s decision to pay a ransom warranted?

They certainly think so. A spokesperson for the company said, “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

See Also: Malware or Not: Ensiko, a New Malware Has Ransomware Capabilities

This raises another question. Can the assurances provided by the perpetrators of cybercrime be trusted? The FBI doesn’t think so. As per FBIOpens a new window , “There are serious risks to consider before paying the ransom. [The United States Government] does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.”

ForresterOpens a new window notes it should at least be considered as a viable option: “As ransomware grinds on, daily business operations come to a halt, and you may find your organization scrambling to find new ways to meet core functions, which puts stress on everyone. This problem is complicated even if you have good backups that survived the attack. Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.”

None of Blackbaud’s public cloud environments, AWS and Azure, were affected by the ransomware attack.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!