Fundraising software company Blackbaud has for months told its nonprofit clients that the ransomware attack earlier this year compromised personal information such as names, addresses, phone numbers, and giving history stored on the company’s cloud server. Until this week, the company said the breach did not expose information like bank details, passwords, and Social Security numbers.
But the firm on Tuesday updated its statement with a disclosure that the cybercriminal did in fact access such data from some affected organizations.
Blackbaud has declined to share the number of customers affected by the breach, aside from stating that the majority of the firm’s 45,000 customers were not involved. Caroline Stallings, director of corporate communications at Blackbaud, said the latest disclosure “applies to only some of the customers” who were first notified of the data breach in mid-July. The company made that subset of customers aware of that information this week and is offering them additional support, she said.
“While our investigation moved quickly to notify involved customers on July 16, 2020, our investigation continued after initial notifications of who was involved,” Stallings wrote in an email. “Between July 17, 2020, and September 29, 2020, we moved rapidly to make progress on the follow-up security work we committed to our customers around further hardening our environments.”
In its analysis, the company determined that “there were situations where some fields intended for Social Security number, bank account information, usernames and/or passwords were not encrypted for certain customers.” The company maintains that the hacker did not access credit-card data.
But as the Chronicle recently reported, some affected nonprofits had already disclosed that sensitive financial information was compromised during the breach before Blackbaud’s notifications this week. Northwestern Memorial HealthCare, for example, indicated that Social Security numbers, financial accounts, and payment-card information were unencrypted for five individuals in its database.
Meanwhile, donors continue to file lawsuits against the company, as well as against some of its nonprofit customers. Donors have filed 11 cases against the software giant, calling for Blackbaud to provide free credit monitoring and financial compensation for anybody who was affected by the attack, as well as improvements to the company’s data-security practices. A lawyer representing one of the donor plaintiffs filed a motion to consolidate the cases in the federal court system. The Judicial Panel on Multidistrict Litigation may consider that motion later this year.
