I received an apology email from my Alma Mater. Here's an extract. The last para makes an explicit statement that Blackbaud paid the ransom.
On Thursday, 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.
Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education and not-for-profit sectors.
It informed us that in May it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of universities using its services have been affected, including the University of Leeds.
The company assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information.
We are continuing to work closely with Blackbaud to determine exactly what personal data was compromised. We understand that other clients of Blackbaud have been affected in different ways, with varying types of data involved. In our case, it appears that names and email addresses for some members of our alumni and supporter community were affected. Information on the sums given as gifts or event payments through the alumni web portal, Leeds Alumni Online, may also have been affected, although not any bank account or credit card details. As we understand that you haven’t used our website to make any financial transactions, this aspect will not affect you.
Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that – based on the nature of the incident, its research, and investigation by third parties (including law enforcement) – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
Selwyn College, Cambridge issued a similar statement:
> We recently learned that Selwyn was one of a number of educational and voluntary sector organisations in Cambridge, the UK and across the world to have been affected by a data breach at the US company Blackbaud. [...] In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that having paid the ransom it received assurances that this data had been destroyed and since then there has been no indication that this data remains in circulation.
They also linked to Blackbaud's statement, which confirms they paid the ransom:
> Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Incidentally, the notification was sent via Blackbaud, and appears to track that I clicked through to the statement (URL includes bblinkid/bbemailid/bbejrid parameters).
The ACLU has been affected as well. From the email they sent out yesterday:
In all candor, we are frustrated with the lack of information we've received from Blackbaud about this incident thus far. The ACLU is doing everything in our power to ascertain the full nature of the breach, and we are actively investigating the nature of the data that was involved, details of the incident, and Blackbaud's remediation plans.
We are also exploring all options to ensure this does not happen again, including revisiting our relationship with Blackbaud.
Throwaway account - I am in charge of IT from one of the universities affected and am angry at how blackbaud has been so slow at communicating this to us. Even when we asked them the exact fields/data that was stolen they just gave us vague answers.
Our contract with them ends soon and we will definitely not be renewing when it’s up.
> The timescales in play here seem terrible from Blackbaud's discovery to initial report.
That’s going to keep happening until someone gets the book thrown at them for slow-walking a response. I know this is a pretty anti-regulatory crowd, but we can’t expect this behavior to change if there are no consequences.
For those unfamiliar, Blackbaud produce software that is (mainly) used for harassing^W updating alumni on university developments and asking them for money.
I think Raiser's Edge is used quite a bit in the sector, though I believe there are on-prem as well as cloud variants of the software?
The on-prem Raiser's Edge hasn't been updated in a long time and is being phased out with the preference being for RENXT cloud version.
A lot of charities use Raiser's Edge, I wonder if they are also affected?
Although that BBC report says
"One of the affected institutions told the BBC the hack is affecting a product called NetCommunity which Blackbaud describes on its website as an 'alumni engagement and management software system for nonprofits.'"
... so maybe Raiser's Edge was not part of the hack
How does asking for money make sense in case of for-profit, paid universities? You're saying that people pay them a significant amount of money for tuition, complete it, and now the university is asking for more money?
Not at liberty to say which Unis, but this is much wider than initially reported. A lot of American universities were affected as well. They are still measuring the fallout, and how best to respond. We were only told last week.
If the hackers don't delete the data and use it for something else, nobody will ever pay them again.
Most cryptolockers and other random criminals do exactly what they promise because if they don't, their business model will collapse. All of the stolen info isn't worth nearly as much as what universities are willing to pay out if you keep your promises.
It's wicked, but these criminals do have a business incentive to be nice. Their next target will probably pay again if they act smart.
Yup, we received emails from them about it - we graduated nearly 20 years ago. I guess that's the price you pay when you say "yes, send me an alumni email every so often"
The individual party incentives in ransomware are all to pay it, which encourages future attacks, only the long-term, societal view discourages payment.
The victim (individual organization or SaaS provider) wants to just have it end.
The ransomer has the incentive to build the pattern of "pay the ransom and nobody gets hurt [in this incident]", because it builds the business model.
Cybersecurity insurance exacerbates the problem, because the insurer knows that payouts solve the incident for the insured at a relatively low cost, and that each incident perversely increases the need organizations have for the insurance.
Conversely, if no one pays ransoms, it immediately ceases being a viable criminal business model.
I've read in some article that insurance companies are actually encouraging the hackers by forcing their insured victims to pay the ransom instead of try to recover on their own or fight back the hackers in any way.
That’s the way it works with liability insurance — if you want the coverage, it’s up to them, not you whether you settle or fight. But one would hope in the insurers are smart enough not to encourage bad behavior.
I’m sure the appropriate sanction for Blackbaud would bankrupt the company. While that is probably the best outcome long term, it doesn’t help anyone now.
How was trusting the word of a bunch of criminals, with no reason to follow through with deleting the data, the correct course of action? Isn’t a failure to disclose what data was comprised, and how, a breach of GDPR?
There are a lot of issues I take with their response so far.
Note: I am An admin that administers part of their product suite, that has mostly not been affected to my
Knowledge because we are mostly using heir products on-prem
1. This isn’t a ransomware attack in the traditional sense. They had an intrusion starting in February that they noticed in May because the actor was sending data offsite. They then held that data for ransom. That’s not ransomware, that’s getting hacked.
2. They will not tell people what specific data was exposed. Only “internal systems”. That may include things like customers that have on prem solutions but have to send backups of their DB for support etc. BLackbaud won’t say anything.
3. There is no way to confirm the malicious actors didn’t have copies of their own data that wasn’t deleted. It got out of their control and they lost all chain of custody. They are literally trusting criminals here as a way to say it’s not exposed (and hiring some firm to “monitor the dark web” for data)
4. While some data is encrypted, hows it’s encrypted in at least a few cases I know of isn’t exactly secure. For example in one product the encryption key is stored in a stored procedure packaged into their compiled installer and is placed into an ssis package on any sql instance the product is installed. It’s the same key for all customers (and I’ll just say isn’t randomized or very hard to iterate). If the actors got any access to their installers, all they would have to do is join the database to the installer and boom, encryption is useless.
I forgot the exact GDPR laws but I think if they failed to disclose the security breach within 3 days of discovery they are subject to a fine of 4% of their revenue.
[+] [-] KineticLensman|5 years ago|reply
On Thursday, 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.
Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education and not-for-profit sectors.
It informed us that in May it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of universities using its services have been affected, including the University of Leeds.
The company assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information.
We are continuing to work closely with Blackbaud to determine exactly what personal data was compromised. We understand that other clients of Blackbaud have been affected in different ways, with varying types of data involved. In our case, it appears that names and email addresses for some members of our alumni and supporter community were affected. Information on the sums given as gifts or event payments through the alumni web portal, Leeds Alumni Online, may also have been affected, although not any bank account or credit card details. As we understand that you haven’t used our website to make any financial transactions, this aspect will not affect you.
Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that – based on the nature of the incident, its research, and investigation by third parties (including law enforcement) – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
[+] [-] stordoff|5 years ago|reply
> We recently learned that Selwyn was one of a number of educational and voluntary sector organisations in Cambridge, the UK and across the world to have been affected by a data breach at the US company Blackbaud. [...] In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that having paid the ransom it received assurances that this data had been destroyed and since then there has been no indication that this data remains in circulation.
They also linked to Blackbaud's statement, which confirms they paid the ransom:
> Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Incidentally, the notification was sent via Blackbaud, and appears to track that I clicked through to the statement (URL includes bblinkid/bbemailid/bbejrid parameters).
https://www.selwynalumni.com/main-website-pages/blackbaud-da...
https://www.blackbaud.co.uk/newsroom/news-archives/2020/07/1...
[+] [-] heavenlyblue|5 years ago|reply
They have a really corporate sense of humour.
[+] [-] philjohn|5 years ago|reply
I wonder how much information they still have on me, seeing as I graduated 18 years ago ...
[+] [-] omerhj|5 years ago|reply
In all candor, we are frustrated with the lack of information we've received from Blackbaud about this incident thus far. The ACLU is doing everything in our power to ascertain the full nature of the breach, and we are actively investigating the nature of the data that was involved, details of the incident, and Blackbaud's remediation plans.
We are also exploring all options to ensure this does not happen again, including revisiting our relationship with Blackbaud.
[+] [-] amandahugg|5 years ago|reply
Our contract with them ends soon and we will definitely not be renewing when it’s up.
[+] [-] ramraj07|5 years ago|reply
[+] [-] cnorthwood|5 years ago|reply
I have also received this from the University of York. The timescales in play here seem terrible from Blackbaud's discovery to initial report.
[+] [-] save_ferris|5 years ago|reply
That’s going to keep happening until someone gets the book thrown at them for slow-walking a response. I know this is a pretty anti-regulatory crowd, but we can’t expect this behavior to change if there are no consequences.
[+] [-] tremon|5 years ago|reply
[+] [-] lol768|5 years ago|reply
I think Raiser's Edge is used quite a bit in the sector, though I believe there are on-prem as well as cloud variants of the software?
[+] [-] codeulike|5 years ago|reply
A lot of charities use Raiser's Edge, I wonder if they are also affected?
Although that BBC report says
"One of the affected institutions told the BBC the hack is affecting a product called NetCommunity which Blackbaud describes on its website as an 'alumni engagement and management software system for nonprofits.'"
... so maybe Raiser's Edge was not part of the hack
[+] [-] Nextgrid|5 years ago|reply
[+] [-] timothevs|5 years ago|reply
[+] [-] IshKebab|5 years ago|reply
[+] [-] timothevs|5 years ago|reply
[+] [-] jeroenhd|5 years ago|reply
Most cryptolockers and other random criminals do exactly what they promise because if they don't, their business model will collapse. All of the stolen info isn't worth nearly as much as what universities are willing to pay out if you keep your promises.
It's wicked, but these criminals do have a business incentive to be nice. Their next target will probably pay again if they act smart.
[+] [-] arethuza|5 years ago|reply
[+] [-] iso1210|5 years ago|reply
[+] [-] kbutler|5 years ago|reply
The victim (individual organization or SaaS provider) wants to just have it end.
The ransomer has the incentive to build the pattern of "pay the ransom and nobody gets hurt [in this incident]", because it builds the business model.
Cybersecurity insurance exacerbates the problem, because the insurer knows that payouts solve the incident for the insured at a relatively low cost, and that each incident perversely increases the need organizations have for the insurance.
Conversely, if no one pays ransoms, it immediately ceases being a viable criminal business model.
[+] [-] smart_jackal|5 years ago|reply
[+] [-] JackFr|5 years ago|reply
[+] [-] JackFr|5 years ago|reply
[+] [-] starfleet_bop|5 years ago|reply
[+] [-] croutonwagon|5 years ago|reply
Note: I am An admin that administers part of their product suite, that has mostly not been affected to my Knowledge because we are mostly using heir products on-prem
1. This isn’t a ransomware attack in the traditional sense. They had an intrusion starting in February that they noticed in May because the actor was sending data offsite. They then held that data for ransom. That’s not ransomware, that’s getting hacked.
2. They will not tell people what specific data was exposed. Only “internal systems”. That may include things like customers that have on prem solutions but have to send backups of their DB for support etc. BLackbaud won’t say anything.
3. There is no way to confirm the malicious actors didn’t have copies of their own data that wasn’t deleted. It got out of their control and they lost all chain of custody. They are literally trusting criminals here as a way to say it’s not exposed (and hiring some firm to “monitor the dark web” for data)
4. While some data is encrypted, hows it’s encrypted in at least a few cases I know of isn’t exactly secure. For example in one product the encryption key is stored in a stored procedure packaged into their compiled installer and is placed into an ssis package on any sql instance the product is installed. It’s the same key for all customers (and I’ll just say isn’t randomized or very hard to iterate). If the actors got any access to their installers, all they would have to do is join the database to the installer and boom, encryption is useless.
[+] [-] AznHisoka|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]