Blackbaud calls itself the world’s leading cloud software company powering social good. Here is more about how Blackbaud describes itself.
Leading uniquely at the intersection point of technology and social good, we provide cloud software, services, expertise, and data intelligence that empower and connect people to drive impact for social good.https://www.blackbaud.com/company
We serve the entire social good community, which includes nonproﬁts, foundations, corporations, education institutions, healthcare institutions, and the individual change agents who support them.
In May 2020, somebody launched a ransomware attack against Blackbaud and stole data. Coverage has been almost nonexistent; I found out when a few friends at my day-job heard the news and told me about it. In July. Two months after the incident. My jaw dropped when I read Blackbaud’s statement. Yours will too.
In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.https://www.blackbaud.com/securityincident
What??? (I added italics for emphasis.)
I would love to see how all those third parties, including law enforcement, verified that the attackers destroyed the data they stole. My satirical side is tempted to insert a super snarky sentence here about the hallowed halls of hogwash.
Search for “Blackbaud data breach” and a bazillion articles come up about victim schools. Most conclude with reassuring words about how the elite Blackbaud security team is on the case.
The most substantive articles I could find on this incident were this one from the BBC, and this one from Phil Hill’s PhilOnTech blog. Which means useful information is hard to find. This is a shame.
Ransomware and other cyberattacks are a fact of life these days, and Blackbaud is one of many victim organizations. But Blackbaud blew it. Not because somebody penetrated its defenses, but because its leaders failed to inform the public about how it happened and what they’re doing about it. Especially after they paid crooks from profits they made from nonprofits.
So, here’s my question for the leaders at Blackbaud. If you guys are serious about your mission – “leading uniquely at the intersection point of technology and social good,” why not lead uniquely now and adopt open around this incident? Your performance to date has already been embarrassing. Why not subject yourself to a little more embarrassment and teach other organizations how to avoid the mistakes you made?
I’m not asking for anything new here; the debate about adopting open vs. keeping it all secret goes back to at least 1853. Here’s a presentation about it. Here’s an article.
So, how about it, Blackbaud? If you can’t dazzle ’em with facts, do you really think you can baffle ’em with this BS? We’re already laughing at you. Why not come clean and work on your credibility?