List of Blackbaud breach victims tops 120

The UK’s National Trust has joined a growing list of education and charity organisations to have had the data of their alumni or donors put at risk in a two-month-old ransomware incident that occurred at US cloud software supplier Blackbaud.

According to the BBC, the Trust, which operates hundreds of important and historical sites across the country, including natural landscapes and landmarks, parks, gardens and stately homes, said that data on its volunteers and fundraisers had been put at risk, but data on its 5.6 million members was secure.

The organisation is conducting an investigation and informing those who may be affected. As per the UK’s data protection rules, it has also reported the incident to the Information Commissioner’s Office (ICO), which is now dealing with a high volume of reports, including Blackbaud’s.

The list of well over 100 victims includes, besides those already named, universities Aberdeen Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London. Multiple Oxbridge colleges and several private schools have also been implicated.

The list of non-profit victims has also grown to include Action on Addiction, Breast Cancer Now, the Choir with No Name, Maccabi GB, Sue Ryder, the Urology Foundation and the Wallich. There is also a growing list of victims in the US.

Matt Aldridge, principal solutions architect at Webroot, said the growing roster of victims highlighted the massive scale of the breach, and showed starkly just how dangerous cyber attacks can be.

“Cyber criminals are becoming more inventive in the types of data and businesses they target, and no company is beyond a cyber criminal’s reach,” he said. “Large service providers are clearly now prime targets, with the wealth of valuable personal data they hold on behalf of clients.

“In this case, attackers likely identified the company as one which was likely to pay out a large sum in a ransomware extortion scenario, which they succeeded in attaining.”

Blackbaud has stressed that having paid off its attackers, who compromised its systems with an as-yet unknown ransomware, it has received assurances from the cyber criminals that all the data compromised has been destroyed. However, cyber security experts agree that such an assurance is worth very little.

Computer Weekly contacted Blackbaud for further comment. The company declined to confirm whether the list of UK victims was accurate and again insisted that it had “no reason” to believe that any data went beyond the cyber criminal organisation responsible, was or will be misused, or disseminated.

We asked the firm why it had taken two months for the disclosure to take place, and exactly what assurances it had received and why it trusted them, but it declined to address these points.

The firm’s spokesperson said they believed the motivation behind the attack was business disruption rather than data theft, although it has hired a third-party team of experts to monitor the dark web as a precaution.

At face value, Blackbaud operates a sophisticated and a substantial cyber security practice with a team of professionals, developed over the past five years and evaluated by independent reviewers who have determined that it exceeds benchmarks for the finance and tech sectors. It follows industry-standard best practice, conducts ongoing risk assessments and penetration testing. It is also a member of several security thought leadership organisations.

“Blackbaud encounters millions of attacks each month, and our expert cyber security team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry,” said the firm’s spokesperson. “We believe the strength of our cyber security practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack before it did significant damage.

“Our teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cyber criminal, and took swift action to fix it. We have confirmed through testing by multiple third parties, including the appropriate platform vendors, that our fix withstands all known attack tactics.

“Additionally, we are accelerating our efforts to further harden our environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.”

The spokesperson added: “We remain committed to data privacy and protection with a cyber security strategy that ensures resilience against an ever-changing threat landscape.”

Webroot’s Aldridge said there was ultimately no such thing as perfect security, and that going forward, Blackbaud should be focusing more on risk management and resilience.

“We recommend all organisations, including service providers, to ensure they keep adequate technical defences in place – including threat intelligence technologies, up-to-date software and operating systems and proper employee education,” he said.

“Employees are the first line of defence, so there is a strong need for them to understand the importance of proper password management and awareness of phishing campaigns.”