Nonprofit Resources
Steps to Take After the Blackbaud Breach
If you are a Blackbaud client, you’re likely aware of the ransomware incident that affected the company on February 7, 2020 and was detected in May and announced on July 16. Blackbaud, which provides cloud software to many nonprofits and higher education institutions, said that it has notified affected clients.
If your organization or institution was affected by the breach, we recommend that you take the steps below. But even if you weren’t, it’s important to be aware of how these types of attacks occur and what you can do to lessen the risk and impact.
Understanding Ransomware Attacks
A cyber attack like the one at Blackbaud occurs when a form of malware known as ransomware encrypts data and systems in an attempt to block a company or user’s access to the data. The criminal’s goal is often to gain money by requiring a ransom to decrypt this data, but these attacks can also aim to disrupt an organization’s operations by restricting access to critical systems and data.
Ransomware continues to plague the IT world and the response can be complicated. Law enforcement continues to advise against paying the ransom as it directly funds other attacks. However, organizations need their data. If they don’t have quality backups to restore from, they may very well find themselves paying the ransom to continue their operations.
Paying the ransom, however, is not without risk. First, the criminals may not give you the decryption code to access your data — so you’d be out the ransom and still not have your data. Secondly, even once you get the decryption code the criminals may still have access to your data. You can’t know if it is still confidential and secure or if it is being mishandled or sold by criminals on the dark web.
Back to Blackbaud
In its notice about the breach, Blackbaud said its cybersecurity team worked with forensics experts and law enforcement to prevent full encryption of the data and expel the attackers from the system, but the criminals were able to remove a subset of data.
Based on the notice, it appears that backups of data were included in this attack, not live data. Blackbaud indicated that the criminals did not access credit card information, bank account information, or Social Security numbers. However, various news outlets reported that some donor names, addresses, contact information, and giving history were obtained.
Blackbaud paid the ransom to obtain confirmation that the extracted data had been destroyed and further indicated that there was no evidence that the data was misused, made public, distributed in another manner, lost, or corrupted. The company also said it is using a third party to monitor the dark web in the event this does not stay true.
Next Steps for Affected Organizations
After receiving the notice, many organizations still have concerns — and you may, too. What is the real impact on your organization, and what are realistic next steps?
- Determine the extent of exposure. Blackbaud indicated backups of data were affected, but what was included in those backups? This likely needs to be assessed on an individual organization level. What information is included by default in each record? Does your organization include more sensitive details in sub-fields, such as license or passport numbers? Depending on how you use the system, there may be sensitive data within records.
- Evaluate and clarify Blackbaud’s actions. Blackbaud said it gained assurance that the cybercriminals deleted the stolen data and confirmed that the cybercriminals were expelled from the network. However, can you ever trust a cybercriminal? What type of assurance did Blackbaud obtain? Blackbaud will be monitoring the dark web for exposed details, but what does this mean for you? Consider asking Blackbaud:
- How long does the company plan to provide this monitoring?
- What details are being looked for? Does it include the sensitive details in sub-fields?
- What will the company do if it finds your or your donors’ information on the dark web?
- Determine if notification to your affected constituents is required. Depending on where your organization is located and what privacy laws and regulations apply, there may be breach notification requirements if specific information was compromised. Many organizations are choosing to err on the side of transparency and openness with their constituents and are notifying their affected donors regardless of mandated requirements.
- Consider forcing a password reset and enabling multi-factor authentication (MFA). As noted, passwords were supposedly encrypted and not accessed by the cybercriminals. However, forcing a password change to your users can ensure the cybercriminals don’t have your login credentials. Similarly, revisit your application settings. Enforcing controls such as MFA can provide a layer of protection in the event that the criminals did actually obtain valid passwords.
- Evaluate the resources and tools Blackbaud has provided and determine what the company is doing to reduce the risk of reoccurrence. Blackbaud indicated that it has a toolkit, description of future plans, and template forms for notification. Review this information to ensure no additional questions arise. Also review Blackbaud’s plans to reduce the risk of future ransomware incidents.
- Consider requesting a periodic local backup copy of your data. While live data was not involved in the attack, what if it had been? How detrimental would it be if the ransomware affected your live data and Blackbaud could not restore it? Requesting a periodic backup, such as quarterly, may provide a layer of assurance that you still have your data in the event a larger ransomware issue occurs.
Once you’ve completed your assessment, document what happened, your investigation and analysis, and any steps taken. Consider presenting this analysis to your incident response team, IT committee, board, or another appropriate level of management. Your board and management are ultimately responsible for the security of the organization and its constituents, so you want to ensure they understand what happened, the actions taken, and the resolution.
Important Steps for All Organizations
The Blackbaud breach is not an anomaly. Reputable vendors are targeted all the time, and unfortunately, some of these attacks are successful and can affect your organization. The following steps can help you proactively plan for vendor issues and help you mitigate the impact if an incident occurs.
- Establish vendor management processes. Reviewing your vendors’ controls for security, business continuity, disaster recovery, and incident response can provide assurance that they have the means to protect your data. Similarly, strong vendor management oversight shows that your organization is exhibiting due care and its necessary due diligence.
- Ensure vendor controls contain critical IT stipulations. Contracts should define the vendor’s responsibility for confidentiality, information security of your data, and breach notification in the event an incident occurs.
- Establish a data inventory. Without knowing where your data is, who accesses it, and how it is stored, you may not know the full impact of a vendor issue. Maintaining this inventory will help you quickly assess the impact of a vendor issue.
- Come up with a plan to evaluate incidents at vendor locations. Ensure your Incident Response Plan defines vendor issues as incidents to be investigated. Many incident response plans focus only on internal attacks, but incidents at vendor locations still affect you and your constituents and should be considered
- Evaluate breach and privacy laws. Proactively investigating and knowing what data privacy laws apply to your organization ensures that you can respond faster. Many laws have timeframes for notification and if you don’t know these before the issue happens, you may not be able to comply.
- Enhance internal preparations. Think about what you can do internally. If a large vendor can become a victim, so can you! For example, enable strong application settings and establish retention periods for data in vendor systems to minimize the impact if there is a breach. Consider retaining periodic local backups of your hosted data.
If you have questions about this or other cybersecurity issues, please contact us at [email protected].
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.