Updated as of 10/9/2020- The recent social-good relationship management software data breach has nonprofit organizations left to figure out what to do next. Blackbaud, a cloud software company, used primarily by nonprofits, announced that they were the victim of a ransomware attack. Also, according to a filing with the U.S. Securities and Exchange Commission, Blackbaud acknowledges that a ransomware attack in May that affected its clients could have exposed much more personally identifiable information (PII) – including banking details – than the company initially believed. The number of people affected is still unknown, and more information needs to be gathered to judge the attack’s actual scope.
However, the Identity Theft Resource Center (ITRC) has tracked 255 organizations and seven million people affected. People who engage with organizations that utilize Blackbaud could be at risk of scams and social engineering.
In May 2020, a ransomware attack was partially thwarted. However, the perpetrator copied a subset of data before being locked out. The hackers then offered to delete the data for an undisclosed amount of money. According to Blackbaud, they paid the ransom and received confirmation that the copy they removed had been destroyed. However, the confirmation was not detailed. Blackbaud says they have no reason to believe that any data went beyond the cybercriminal, was or will be misused.
The information exposed in the breach includes telephone numbers, email addresses, dates of birth, mailing addresses, donation dates, donation amounts and other donor profile information.
Right now, the following third-party vendors are reporting Social Security numbers being involved: The University of Detroit Mercy, Seeds of Peace, Crystal Stairs, Inc., Concord Academy, Bridgewater State University, Spectrum Health Lakeland, Vermont Student Assistance Corporation, Ball State University Foundation, William & Mary Business School Foundation, Salem State University, University of South Carolina Upstate Foundation, Shady Hill School, Berkshire Farm Center & Services for Youth, Inc., and Marywood University.
There have also been notices of financial information and credit card information being exposed. Blackbaud is calling the incident a security incident.
How it Can Impact You
No one knows if there has been more PII stolen except for the hackers. Consumers impacted by the Blackbaud data breach could be at risk of scams (particularly giving and donation scams) and social engineering tactics. Multiple sectors were also impacted by the attack.
Healthcare organizations all over the world use Blackbaud as their cloud software company. According to Blackbaud, 30 of the top 32 largest nonprofit hospitals are powered by their solutions. The ITRC has seen multiple data breach notices from healthcare organizations affected by the Blackbaud data breach. Since the breach impacted donors primarily, it could mean those individuals may be more susceptible to being targeted by fraudsters in the future. As of this writing, no personal health information (PHI) has been involved.
Blackbaud plays a significant role in the education sector. They offer school management software to K-12 schools, as well as universities. Some of the management software includes student information, learning management, enrollment management and school websites. Many schools and districts have acknowledged they were impacted by the Blackbaud data breach. Most of the information involved includes donor information, alumni information and student demographic information.
Blackbaud is a service that is primarily by nonprofits. Blackbaud offers an array of software services that cater to nonprofits worldwide, but are best known for their customer relationship management (CRM) tools. Many nonprofits use these to nurture their donors and fundraising. The range of types of nonprofits affected by the attack is vast. In fact, some Blackbaud nonprofits continue to come forward about whether or not they may have been impacted. Now, many nonprofits are trying to figure out their next steps for how to securely manage their CRM needs.
What You Need to Do
The Blackbaud data breach and its impacts on businesses and consumers are specific to each affected entity and customer. Blackbaud has said that it notified its affected customers of the breach, and those customers should be notifying their impacted individuals. Depending on what information was exposed, the steps for those affected individuals could vary. Anyone who receives a notification letter regarding the Blackbaud data breach should not dismiss the letter and take the notice’s recommended steps.
The biggest threat, based on the data compromised, is social engineering. Employees of the nonprofit organizations impacted by the breach may receive emails that look like they are from an executive, in an attempt at spear phishing.
Donors and members of the nonprofit organizations impacted by the Blackbaud data breach may receive messages asking to provide their personally identifiable information (PII) to update their contact or financial information, either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with. If an employee comes across an email they find suspicious, they should go directly back to the person it claimed to come from and verify the validity of the message if it is internal. If it is someone claiming to be from outside the organization, it should be run by their manager, IT services, or someone familiar with the relationship.
Anyone who believes they were impacted by the Blackbaud data breach can call the ITRC toll-free at 888.400.5530. They can also live-chat with an expert advisor. Another option if the free ID Theft Help app. The app has resources for victims, a case log, access to an advisor and much more.
You might also like…