Blackbaud Breach – Time to Review Your Vendors

It has recently been reported that Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software for nonprofits suffered a ransomware attack back in May of 2020. Blackbaud paid an undisclosed amount of money to the attacker to end the ransomware lockdown, under the attacker’s promise that any copies of data that the attacker made would be destroyed. So far, over 20 organizations (mostly higher education) have been identified as having some of their data compromised by the breach. The individuals whose data was compromised included former and current students, staff, and other supporters of the affected organizations. According to Blackbaud, the information stolen included names, demographics, and other personal information, but the attacker was not able to access critical information such as credit card data, social security numbers, or banking information.

The act of paying ransomware attackers goes against the recommendations of numerous law enforcement agencies. Authorities hope that by encouraging organizations to never pay ransomware attackers, there will then be less attackers attempting these exploits if the chance for monetary gain is greatly decreased. Furthermore, you are only able to take the attacker’s word that they will delete any copies of the data. Look at the situation from the attacker’s point of view; the affected organization has paid you to remove the encryption on their data so they can resume normal functions. If you have made a copy of their data, you can then get a second payday by selling this data on the dark web. There is little incentive for attackers to keep their word and delete the copies of data that they likely made.

When a breach like this affects one of your organization’s vendors, do you know how to respond? Your incident response plans should be able to guide you through an appropriate response. There are also several common-sense vendor management steps to conduct in the event of a breach. These steps include:

• Reaching out to the vendor – do not rely on the vendor’s press release and assurances that all is well. Make sure you get clarification of the event with personal written communication that details what happened, who was affected, when the event occurred, what steps were taken to stop it, and what steps are being taken to prevent it from happening again. This will include ensuring that privacy laws (GDPR, CCPA, etc.) are followed.
• Communicating with affected users – Even if it is a vendor system, the data belongs to you, and they are your students, alumni, and patrons. At the very least, a notice on your website (especially right before accessing the affected system) is critical. The Rhode Island School of Design (RISD) provided the following response to the breach: https://www.golocalprov.com/news/risd-announces-data-has-been-hacked-data-breach-and-attempted-ransomeware-a
  In addition to notifying users, there may be local, state, and federal notification requirements that are necessary for you to take as well.
• Vendor due diligence and reviews – Any vendor working with your organization that suffers a breach should go through renewed scrutiny. You may require scans and reports showing a clean bill of health, or even ask for a right to audit if you have that clause in your contract. In any case, taking a heightened security posture is warranted, especially if it is a critical vendor. In some cases, alternative vendors might be sought out depending on the severity of the event and the risk tolerance of the organization.

Now more than ever, organizations must conduct due diligence to ensure the vendors they choose take security seriously and will do everything possible to protect sensitive information. Compass IT Compliance has spent the past decade assisting organizations in reviewing their vendor management programs and risks. We also specialize in business resilience reviews, incident response planning, and live incident response. Contact us today to learn more and discuss your unique situation!