In 2020, Blackbaud – a cloud software company serving a number of healthcare organizations, educational institutions and other non-profit organizations in North America and the United Kingdom – became the target of a ransomware attack. Although Blackbaud provided a ransom to the cybercriminal responsible for the attack, this incident still led to a number of the company’s customers having their sensitive data compromised, which ultimately affected hundreds of organizations and millions of individuals. The Blackbaud supply chain attack in the supply chain emphasized the potential exposure of the supply chain created by ransomware attacks, as well as the cybersecurity risks that may persist even after a ransom has been paid.
In addition to experiencing significant recovery costs and litigation from this attack, Blackbaud also encountered widespread criticism for his poor response tactics and initial lack of transparency regarding the incident. There are various cybersecurity lessons that organizations can learn by examining the details of this attack and its impact. Here̵7;s what your organization needs to know.
Details of Blackbaud Supply Chain Ransomware Attack
On February 7, 2020, a cybercriminal gained unauthorized access to Blackbaud’s nonprofit donor program, known as Raiser’s Edge. The cybercriminal used sophisticated tactics to infiltrate this program and mimic legitimate customer activity, which prevented Blackbaud’s endpoint detection system from detecting any security issues. From there, cybercriminals began accessing and trying to encrypt sensitive data from Raiser’s Edge – data that belonged to Blackbaud’s customers and their donors.
The cybercriminal’s activity went undetected for several months until May 14, 2020. At that time, Blackbaud’s cyber security team became aware of the incident due to a suspected login attempt. With the help of forensic experts and law enforcement agencies, this team was able to expel the cybercriminal from Raiser’s Edge and prevent them from blocking program access or completely encrypting sensitive data on June 3, 2020. Nevertheless, the cybercriminal could make a copy of a subset of sensitive data in the program before they are removed. The cybercriminal then used this copy to carry out a ransomware attack on June 18, 2020 and threatened to disclose the sensitive information if they were not paid. As such, Blackbaud decided to pay cybercriminals on the condition that they destroy the copy.
The company did not inform the public about the incident until July 16, 2020. On that date, Blackbaud issued a statement describing the details of the attack, stating that they had paid the cybercriminal’s claim for redemption. In this statement, the company claimed that no personally identifiable information (PII) was compromised in the middle of the incident. Blackbaud further stressed that they had no reason to believe that any data would be misused or published in the future.
Nevertheless, a regulatory application later revealed that various PIIs had been compromised during the attack. Such PII included social security number, driver’s license number, passport number, health and financial information, date of birth, e-mail addresses, telephone numbers, postal addresses, donation date, donation amount and additional information about the donor profile. According to the Identity Theft Resource Center, the incident affected an estimated 536 organizations and 13 million individuals across the United States, Canada and the United Kingdom. Several notable organizations were among those affected, including National Public Radio, Vermont Foodbank, Human Rights Watch, Northwest Immigrant Rights Project, Young Minds, Smithsonian and more than 10 universities in England. What’s worse, the message that Blackbaud received from the cybercriminal who claimed that the copy of the data had been destroyed was rather vague – which led some cyber security experts to believe that the copy still exists and can be used in future attacks.
Effect of Blackbaud Supply Chain Ransomware Attack
Blackbaud experienced a number of consequences of this cyber incident, including the following:
In addition to paying a secret ransom during this attack, Blackbaud also faced a number of recovery costs. According to the US Securities and Exchange Commission, Blackbaud incurred costs of more than $ 3 million to recover from the attack between July and September 2020. These costs include notifying affected customers, investigating the cause of the incident and implementing improved cyber security measures to prevent future attacks.
Damage to reputation
Blackbaud met with widespread criticism for following the demands of the cybercriminal and providing them with a ransom during this attack. After all, the FBI encourages organizations to refrain from making such payments, as there is no guarantee that the cybercriminal will keep his promises, which could lead to future incidents. The company also faced significant scrutiny for taking a lengthy period to inform the public (and affected customers) about the attack, as well as for their initial lack of transparency regarding the incident. By failing to acknowledge the possibility that PII had been compromised in the midst of the attack, Blackbaud undoubtedly lost some degree of both customer and public confidence when the truth eventually emerged.
In the aftermath of the attack, Blackbaud was indicted in a total of 23 presumed class actions for consumers, including 17 in U.S. federal courts, four in U.S. state courts and two in Canadian courts. These trials claim that Blackbaud failed to adequately prevent, detect and respond to the attack. Furthermore, these lawsuits allege that Blackbaud did not take reasonable steps to protect customers ‘and donors’ PII, nor did it correctly identify how much data had been compromised. In addition, Blackbaud failed to comply with the notification requirements set out in the UK General Data Protection Regulation (GDPR). According to the GDPR, organizations must notify both regulators and customers within 72 hours of discovering a cyber incident. Blackbaud took several weeks to issue such notices.
There are several cyber security measures from the Blackbaud supply chain ransomware attack. In particular, the incident highlighted these important lessons:
Non-profit organizations are key targets for cybercriminals.
Due to the large amount of PII that non-profit organizations often store in their donation and fundraising systems, these organizations are often top targets for cybercriminals. This point was further emphasized by the Blackbaud incident, as a cybercriminal exploited the company’s software to access non-profit organizations’ data. According to a recent study by the Institute for Critical Infrastructure Technology, 50% of non-profit organizations have experienced a ransomware attack at some point. Despite this number, data from the Nonprofit Technology Enterprise Network showed that more than two thirds (68%) of non-profit organizations lack documented cybersecurity policies and procedures, while 59% do not provide routine cybersecurity training to their staff – making them increasingly vulnerable to attack. . With this in mind, it is crucial for non-profit organizations to prioritize cyber security measures to prevent potentially costly incidents.
Exposures to the supply chain must be considered.
This attack emphasized the importance of organizations evaluating and addressing security issues within their supply chains. Even if an organization follows proper cyber policies and procedures internally, a vendor that has been compromised can still threaten its security and digital assets. Exposures in the supply chain can come from a variety of channels – including providers with access to organizational networks, third parties with insufficient data storage measures, and providers with poor overall cybersecurity practices. Although it is not possible to completely eliminate risks in the supply chain, there are several steps that organizations can take to help reduce these exposures, such as incorporating cyber security expectations into supplier contracts, minimizing third-party access to organizational data, and monitoring suppliers’ compliance. supply chain risk management procedures.
Response plans for cyber incidents make a difference.
Blackbaud took a long time to respond to this incident, attracted widespread criticism and exacerbated the overall costs associated with the attack. Such long recovery issues show how important it is to have an effective management plan for cyber incidents in place. This type of plan can help an organization establish rapid response protocols to reduce losses and act appropriately in the midst of a cyber incident. A successful incident management plan should describe potential scenarios for cyberattacks, methods for maintaining key functions under those scenarios, and the persons responsible for performing such functions. The plan should also provide procedures for notifying relevant parties (eg customers, shareholders and regulators) of an attack. This plan should be routinely reviewed through various activities (ie table exercises) to ensure effectiveness and identify ongoing vulnerabilities. Based on the results of these activities, the plan should be adjusted if necessary.
Ransomware attacks have unique consequences.
It is important to note that Blackbaud made a mistake when he followed the cybercriminal’s demands and paid ransom during the attack. While it may allow for a faster recovery process for incidents, it can lead to future cyber security problems along the way if cybercriminals do not keep their word. With that said, it is best to contact law enforcement immediately after detecting a ransomware attack, as this practice can help minimize potential losses, improve incident investigation processes, and better identify perpetrators.
Compliance with cybersecurity is crucial.
Blackbaud faced significant regulatory consequences from failing to maintain adequate cyber security measures and complying with the GDPR notification requirements. This incident showed how important it is to remain compliant with applicable cyber security laws – especially as such legislation becomes increasingly common. In fact, a number of states have enacted stricter cyber security laws in recent years (such as California, Maine and Nevada). In the future, it will certainly be possible for additional states to follow suit. As cybersecurity legislation continues to evolve, consultation with an appropriate legal adviser can help simplify the compliance process.
Proper coverage can provide much-needed protection.
Finally, this attack made it clear that no organization – not even a major provider of cloud software – is immune to cyber-related losses. This is why it is crucial to ensure adequate protection against potential cyber incidents by ensuring proper coverage. Specifically, most organizations can benefit from having dedicated cyber insurance. However, it is best to consult a trusted insurance specialist when navigating these insurance decisions.
We can help.
If you want additional information and resources, we are here to help you analyze your needs and make the right coverage coverage to protect your business from unnecessary risks. You can download a free copy of our e-book, or if you are ready to make Cyber Liability Insurance part of your insurance portfolio, request a proposal or download our Cyber & Data Breach Insurance Application and we will to work for you.