A ransomware attack at fundraising technology provider Blackbaud is raising questions for a wide range of nonprofits that were affected.
Last week, the company disclosed it had experienced a ransomware attack in May. The cybercriminal intended to block the company’s access to its data, but the company, along with external forensics experts and law-enforcement officers, was able to prevent that from happening, Blackbaud wrote in a statement. The criminal succeeded in removing a copy of some customer data that included fields like donor names, addresses, contact information, and giving history, according to statements from nonprofits and news reports. Blackbaud paid a ransom of an undisclosed amount to encourage the cybercriminals to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” the statement said. Bank information and credit card and Social Security numbers were not compromised, the company said.
“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” the statement reads.
But some nonprofits aren’t satisfied that they have the information they need.
It’s unclear how many organizations globally were affected, but those that were vary widely and include large colleges and universities, international charities, and small local nonprofits.
Blackbaud, a market leader in nonprofit fundraising software, said the majority of its customers were not affected. A spokesperson declined to say how many organizations were involved. In Britain alone, 125 organizations have reported the breach to the Information Commissioner’s Office, the BBC reported Tuesday.
Frustrated Customers
Organizations whose data was taken have been notifying supporters of the breach in the days since the attack became public.
The American Civil Liberties Union sent a blunt email to its supporters on Friday.
“In all candor, we are frustrated with the lack of information we’ve received from Blackbaud about this incident thus far,” reads the email signed by chief development officer Mark Wier and chief operating officer and general counsel Terence Dougherty. “The ACLU is doing everything in our power to ascertain the full nature of the breach, and we are actively investigating the nature of the data that was involved, details of the incident, and Blackbaud’s remediation plans.”
Other groups say they’re conducting their own inquiries into the incident, and some, like the ACLU, say they’re re-evaluating their relationship with the technology firm.
Colleges and universities in the United States, Canada, and Britain have notified their alumni and donors of the breach. The University of Dayton, Middlebury College, Bentley University, and the New College of Florida are among those that were affected.
When advancement leaders at the New College of Florida were notified last Thursday that the college’s data was taken, the staff and the general counsel evaluated whether it was necessary to notify donors, alumni, faculty, and others in their database.
Based on the information the cybercriminal had accessed from the college — contact information — “we eventually came to the conclusion that while we weren’t under any legal requirement to notify, based upon what Blackbaud was telling us had been accessed, we felt that it was ethical to notify our constituents that this had taken place,” says Kevin Hughes, associate vice president for advancement at the New College Foundation, which supports the college.
The college’s general counsel is following up with Blackbaud to try to determine exactly whose contact information was accessed. In the meantime, out of an abundance of caution, the college emailed all of the roughly 14,000 contacts in its database.
So far, says Hughes, the response has been muted: Just four people have replied.
In response to the breach, the foundation’s database manager and director of finance are reviewing internal policies for how the college stores information in Blackbaud’s databases, he says.
The Jackson Laboratory, a biomedical research organization in Bar Harbor, Me., emailed donors with news of the breach. “We directly emailed our donors, and they were appreciative of our transparency and proactive approach in reaching out to them,” Maggie Moore, associate director of development communications, said in an email.
Vermont Public Radio was also affected and has been notifying its supporters.
“We’ve heard from donors who are appreciative that we shared the information and are being transparent, donors concerned about the security of their information, and some donors also asked to have their sustaining memberships (a monthly donation) canceled,” Brendan Kinney, the station’s senior vice president for development and marketing told VTDigger.org, a nonprofit news website in the state.
Blackbaud notified customers whose data was accessed by the hacker and shared resources, including guidance on notification requirements and templates for notifying supporters.
The firm has hosted webinars to take questions and opened up a customer service phone line to answer individual questions. “We continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” a spokesperson told the Chronicle in an email.
‘Good Data Stewardship’
The attack should be a wakeup call for nonprofits, says Amy Sample Ward, CEO of NTEN, a network of nonprofit-technology professionals.
“We’re in a world where either ransomware attacks or other types of hacking are a real threat,” she says. “Blackbaud is massive. So, so many nonprofits may work with them on one platform or another. So of course they would be a target, right? Because the data is just going to be that much bigger.”
The most important lesson to take from the incident is that nonprofit organizations are just as vulnerable, she says. “If a giant, massive Blackbaud can have this situation, so can they. So what are they doing?”
Ward says nonprofits should use this moment to communicate to supporters the proactive steps they’re taking to protect donor data.
NTEN surveyed more than 250 nonprofits for its 2018 report on the state of cybersecurity. Fewer than half of the respondents said their organizations have policies on cyberattacks, and only 40 percent said they provide regular cybersecurity training for staff.�
“This an opportunity for trust building,” Ward says, “for owning the responsibility of good data stewardship and data protection for our community members in an inclusive way beyond just referencing whatever data or systems may be with Blackbaud.”
As affected nonprofits issue their statements in the wake of a hack, they should share whatever information they can, Ward advises. Some organizations may feel like they need to wait to communicate until they get more answers from Blackbaud, she says. But they shouldn’t hold back and can continue to update supporters. “Saying something is better than saying nothing.”
