Blackbaud: Hackers May Have Accessed Banking DetailsSoftware Company Offers More Information on Data Exposed in Ransomware Attack
Blackbaud, a provider of cloud-based marketing, fundraising and customer relationship management software, now acknowledges that a ransomware attack in May that affected its clients could have exposed much more personally identifiable information - including banking details - than the company initially believed, according to a filing with the U.S. Securities and Exchange Commission.
The South Carolina company now faces at least 10 lawsuits as a result of the incident (see: Blackbaud Ransomware Breach Victims, Lawsuits Pile Up).
In the U.S. healthcare sector alone, the tally of organizations affected by the incident has grown to more than three dozen, with data exposed on nearly 10 million individuals. Other clients around the world affected include those in the education and nonprofit sectors.
Blackbaud admitted in its breach notification that it paid an undisclosed ransom to cybercriminals in exchange for them ensuring that any copies of the data stolen were destroyed.
On Wednesday, Blackbaud filed a Form 8-K with the SEC that offers more details about the ransomware attack and how much data may have been exposed.
"Further forensic investigation found that for some of the notified customers, the cybercriminals may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords," according to the SEC filing. "In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted ... and are being provided with additional support."
The SEC report also notes that the investigation into the ransomware attack, which involves security firms and law enforcement agencies, is continuing.
Blackbaud, which is publicly traded, noted that, while it was able to block the cybercriminal gang from fully encrypting certain files, the hackers removed a subset of data from the firm's private hosted cloud before they were expelled.
"We expect our security incident investigation and security enhancements to continue for the foreseeable future," according to the SEC filing.
Although the ransomware incident happened in May, Blackbaud did not send out breach notifications until July 16 (see: Questions Persist About Ransomware Attack on Blackbaud).
Brett Callow, a threat researcher with security firm Emsisoft, notes that, while Blackbaud paid a ransom to the attackers in exchange for destroying stolen data, there's always a possibility that data could leak anyway.
"A breach is a breach, and Blackbaud experienced a breach," Callow says. "That the company chose to pay the ransom in no way altered the fact that the criminals had accessed and possibly exfiltrated the data. Companies that choose to pay in this scenario are not in any way undoing the breach; they're simply paying a bad-faith actor for a pinkie promise that the stolen data will be destroyed. Whether threat actors do ever actually destroy data is something only they know, but I'd be very surprised if they did."
A spokesperson for Blackbaud tells Information Security Media Group that based on the company's own research and the opinion of third parties, including law enforcement, there is currently no evidence that any customer data has leaked or been exposed. The firm is taking extra precautions.
"[The attackers'] motivation was to disrupt our business by encrypting customer files in our data centers, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure," the spokesperson says.
Healthcare Victim Tally Keeps Growing
As of Thursday, the U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool, which lists health data breaches affecting 500 or more individuals, shows more breaches tied to the Blackbaud incident have been added, bringing the total to over three dozen.
Those include the largest health data breach posted this year on the HHS tally: a hacking incident affecting 3.3 million individuals reported on Sept. 14 by Michigan-based Trinity Health.
Among other Blackbaud-related breaches also added to the HHS tally in recent days are incidents reported by New York-based Nuvance Health, with nearly 315,000 individuals affected, and Missouri-based University of Missouri Health Care, with almost 190,000 people affected.
Meanwhile, Roger Severino, director of HHS's Office for Civil Rights, which maintains the tally, tells ISMG that he doesn't buy an argument by some legal experts who contend that some entities might be over-reporting data breaches in which a ransom was paid in exchange for the hackers destroying or returning stolen data.
"As a general matter ... although entities are able to pay ransoms, there is no guarantee that the data is actually destroyed. Why would you trust a criminal?" he says.
"When people have [unauthorized] access to your data, the default should be a presumption of a breach."