Contents:
Blackbaud, a cloud software supplier, suffered one of the most notable ransomware attacks in May 2020.
Not very long after discovering the attack, Blackbaud decided to pay the ransomware attackers. The move was considered unwise by cybersecurity experts.
Blackbaud, publicly traded on NASDAQ, considers itself the world’s leading cloud software company powering social good, with customers including more than 25,000 organizations in more than 60 countries.
On July 16th, 2020 a data breach notification was posted on its website, saying that ransomware-wielding attackers managed to exfiltrate and encrypt customer data in May, last year.
“After discovering the attack, our cybersecurity team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system,” it says. “Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.”
Blackbaud is a data processor, so they would’ve been required to notify the ICO and also data control authorities within 72 hours of learning about the breach.
The company failed to respond in a timely manner to the request for comment regarding how many of its customers were affected, their identities, or when they were all informed when it alerted relevant regulators, as well as which strain of ransomware or gang appeared to be involved. That means Blackbaud’s delay triggered a failure of meeting GDPR’s requirements by not notifying both regulators as well as data controllers, meaning customers.
While the main obligation to report a data breach to the relevant data protection authority under GDPR – without undue delay and, where feasible, not later than 72 hours after having become aware of it – is on the data controller, the data processor also has an obligation to notify a data controller without undue delay after it becomes aware of a data breach,” attorney Jonathan Armstrong, a partner at London-based Cordery, tells Information Security Media Group. “Data controllers using Blackbaud will want to ask it why the report was delayed.
Blackbaud Paid the Ransom
Blackbaud declared it paid a ransom, without disclosing the amount.
Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” it says. “Based on the nature of the incident, our research, and third-party – including law-enforcement – investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.
There is no law stopping companies to pay ransomware provided funds don’t trace to cryptocurrency wallets tied to any known terrorist groups or other sanctioned entities, but cybersecurity experts do not recommend paying a ransom to attackers, this action showing this type of crime as a viable, even if illicit, business model.
Another thing that needs to be addressed in this type of situation is the morality of the Criminals, in other words, can the threat actors be trusted?
Users of Blackbaud’s software are involved in fundraising and another type of benefactor activities, therefore we can conclude that those individuals could now become fodder for ransomware attackers’ attention and attempted extortion in the form of threatening to leak information about individuals who fundraisers at universities and other organizations might be courting.
Another aspect trust-related regards the promise made by the attackers not to further divulge the sensitive data after the ransom is paid, but unfortunately, this does not seem to be the best approach.
The Data Breach Class Action
In December 2020 a class action suit was filed against Blackbaud’s.
Between February 7, 2020, and May 20, 2020, cybercriminals orchestrated a ransomware attack and infiltrated inadequately protected computer networks maintained by Blackbaud, a software company based in Charleston County, South Carolina.
The complaint charges that the systems were “incompetently secured…” It claims that Blackbaud failed to do a number of things to prevent such a breach. For example,
- It failed to “timely implement adequate and reasonable measures” to protect the information.
- It failed to prevent the breach or to detect it promptly.
- It failed to “honor its repeated promises and representations to protect” the PII and PHI.
- It failed to identify all information that was accessed.
- It failed to “properly train employees regarding ransomware attacks[.]”
- It failed to give the victims “any redress for the Data Breach”.
In the complaint it is pointed out that Blackbaud said it had “already implemented changes to prevent this specific issue from happening again”, but if all the previously mentioned measures would’ve been implemented this incident would not have happened and [the victims’] Personal Information would not have been compromised.
Heimdal® Network DNS Security
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
The complaint alleges that Blackbaud should be held responsible “for its grossly negligent—indeed, reckless—failure to use statutorily required or reasonable cybersecurity measures to protect” the victims of this data breach.