It has recently been reported that Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software for nonprofits suffered a ransomware attack back in May of 2020. Blackbaud paid an undisclosed amount of money to the attacker to end the ransomware lockdown, under the attacker’s promise that any copies of data that the attacker made would be destroyed. So far, over 20 organizations (mostly higher education) have been identified as having some of their data compromised by the breach. The individuals whose data was compromised included former and current students, staff, and other supporters of the affected organizations. According to Blackbaud, the information stolen included names, demographics, and other personal information, but the attacker was not able to access critical information such as credit card data, social security numbers, or banking information.
The act of paying ransomware attackers goes against the recommendations of numerous law enforcement agencies. Authorities hope that by encouraging organizations to never pay ransomware attackers, there will then be less attackers attempting these exploits if the chance for monetary gain is greatly decreased. Furthermore, you are only able to take the attacker’s word that they will delete any copies of the data. Look at the situation from the attacker’s point of view; the affected organization has paid you to remove the encryption on their data so they can resume normal functions. If you have made a copy of their data, you can then get a second payday by selling this data on the dark web. There is little incentive for attackers to keep their word and delete the copies of data that they likely made.
When a breach like this affects one of your organization’s vendors, do you know how to respond? Your incident response plans should be able to guide you through an appropriate response. There are also several common-sense vendor management steps to conduct in the event of a breach. These steps include:
Now more than ever, organizations must conduct due diligence to ensure the vendors they choose take security seriously and will do everything possible to protect sensitive information. Compass IT Compliance has spent the past decade assisting organizations in reviewing their vendor management programs and risks. We also specialize in business resilience reviews, incident response planning, and live incident response. Contact us today to learn more and discuss your unique situation!