Notice of Blackbaud Cyber Security Incident
Posted August 21st, 2020 by Canadian Hemochromatosis Society
On July 16 2020, we were informed of a ransomware cyber-attack that affected one of our service providers, Blackbaud. Blackbaud is one of the world’s largest providers of education administration, fundraising, and financial management software for non-profits. The incident involved a cybercriminal who removed data for the purpose of extorting funds from Blackbaud, who paid a ransom in exchange for the deletion of the extracted data.
What information was involved?
It’s important to note that the cybercriminal did not access any financial or credit card information. However, the file removed may have contained personal information such as your name, address, email and phone number, demographic information such as date of birth and marital status, communication preferences, HFE genetic status, and a history of your relationship with our organization, such as donation dates and amounts.
Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
As an extra precautionary measure, Blackbaud has hired a third-party team of experts to monitor the dark web for any signs of the breached data.
The Canadian Hemochromatosis Society has notified the Office of the Information and Privacy Commissioner (OIPC) for British Columbia and the Office of the Privacy Commissioner of Canada about this cyber security incident. Should you wish to contact the OIPC for BC, please visit their website at www.oipc.bc.ca. The website for the Privacy Commissioner of Canada can be found at priv.gc.ca.
What can you do on your own to ensure the safety of your personal information?
While we have no indication that your information has been compromised by this incident, we are strongly urging you to monitor your accounts closely for any suspicious activity and to notify your financial institution immediately if you notice any unauthorized spending or withdrawals.
Remain vigilant about any email messages, text messages or phone calls that ask you to provide sensitive information or financial details.
As an additional preventive measure, we also recommend that you monitor your credit files by contacting both Equifax 1-800-465-7166 and TransUnion at 1-800-663-9980. You should ask for a copy of your credit report to be sent to you, free of charge. It is possible to request your free TU report online here: ocs.transunion.ca.
When you receive your credit reports, you should review the copies for suspicious activity but also review it for any potential errors in your personal information (for example, file mixed with the file of a person of the same name). If you notice any recent errors or other suspicious activity, you should submit a correction form to the appropriate credit agency and contact local police. You can also contact the Canadian Anti-Fraud Centre at 1-888-495-8501 for further instructions and assistance.
What if you want to speak with Canadian Hemochromatosis Society regarding this incident?
Should you feel the need to speak with Canadian Hemochromatosis Society regarding this incident, please leave a voice message for Brenda Ohara, Manager of Member Support and Administration, at 604-279-7135 with your name and a telephone number where you can be reached, and Brenda will return your call.
At the Canadian Hemochromatosis Society, we take our responsibilities to protect your account information very seriously. We are deeply disturbed by this situation and apologize for any inconvenience.
The following FAQs have been provided by Blackbaud:
Q. How can you be sure the information the cybercriminal was exposed to is contained and wasn’t sold online?
A. Blackbaud’s third party negotiation company – an expert in dealing with ransomware threats – was in regular contact with the cybercriminal from the time Blackbaud shut the cybercriminal out of Blackbaud’s system. So, we know that this attack was primarily a ransomware attack aiming to shut down the company. Thanks to the good work of Blackbaud’s security team, a shutdown was avoided, but the cybercriminal had copied a subset of back-up files and he used these files as a secondary method of extorting money from Blackbaud. It seemed from the beginning that the cybercriminal’s primary interest was to receive payment from Blackbaud, not in selling or otherwise exposing the data.
Blackbaud agreed to pay the cybercriminal with confirmation that the data was destroyed. Why would we believe that this cybercriminal kept his word and destroyed the data? Because their future business depends on future targets believing that the cybercriminal will keep their word. Both the third-party negotiation company and U.S Federal law enforcement keep records of various cybercriminals and whether they have a history of meeting their own obligations. One of the reasons that Blackbaud was willing to pay this cybercriminal is because its security team was told that the cybercriminal would likely do as they promised. This may have been due to an understanding of the cybercriminal’s past history, but it also included the understanding that, if the cybercriminal held another company for ransom in the future, security vendors and law enforcement would look to their history here to decide whether it was worth paying the ransom, and would advise the victim company accordingly.
In short, the cybercriminal has strong incentive to keep their word. This is especially true given the scattered nature of the information he exposed at Blackbaud – information that was filled with publicly-available data and did not contain the card or bank account numbers, or social security numbers, needed for identity theft schemes. The data did not seem very valuable to criminal enterprises, so this is another incentive not to try to sell the data after promising to destroy it.
Finally, Blackbaud has not been relying on the word of the cybercriminal. In today’s world, when databases appear on the dark web or elsewhere for sale, many people know about it. The criminals know about it because they are the customers to buy and use the data. Both public law enforcement and private security firms know about it too and are constantly scouring the web for new information. These security companies have deep, sophisticated tools to search in the darkest reaches of cyberspace for specific data. Blackbaud has engaged a security firm to look this data on its behalf and has requested US Federal law enforcement help with that search. They have not found the data. To date and to our knowledge, none of the back-up databases from the Blackbaud incident have appeared anyplace you would expect to see such information if it were offered for sale.
A team of experts is monitoring the dark web and private online channels on a constant 24/7/365 basis looking for any traces of the data involved in this incident. The services leverages both automation and manual analysis of open and closed dark web forums, private online channels, and custom sources typically used to buy, sell or disclosure stolen data. If there is any indication that such data is on the dark web, we are alerted on a real time basis and would notify our customers.
These are the tools that a company can use to reduce risk for the data subjects – pay for the data to be destroyed and confirm the data does not appear elsewhere. We intend to continue monitoring indefinitely to ensure that we remain vigilant for any appearance of this data.
Q. What is Blackbaud doing in response to this incident?
- We make no excuses and take this matter very seriously. Cyberattacks are a common occurrence in the world today, especially with well-established companies. But given our investments, we are able to thwart millions of cyberattacks each month. Unfortunately, we encountered this more sophisticated incident recently and had to take additional actions but were able to close it down.
- Over the last five years, we have built a substantial cyber security practice with a dedicated team of professionals. Independent reviewers have studied our program and have determined that it exceeds benchmarks for both the financial and technology sectors. We follow industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure. We are also a member of various Cyber Security thought leadership organizations, including: The Cloud Security Alliance and Financial Services Information Sharing and Analysis Center (FS-ISAC), where we team up with other experts to share best practices and tactical threat information for the Cyber Security community. We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this ransomware attack before it did significant damage.
- With respect to this incident: First, our teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. We have confirmed through testing by multiple third parties, including the appropriate platform vendors, that our fix withstands all known attack tactics. Additionally, we are accelerating our efforts to further harden our environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
- One important item we are accelerating is our efforts to add multi-factor authentication to all of our self-hosted solutions. More information will be shared in the coming months.
- We are ensuring all users reset their passwords regularly and will be requiring stronger passwords for a subset of our customers. More information will be provided in an in-product notification.
- Even before this incident occurred, Blackbaud participated in regular security audits that benchmarked our security program above peers in the financial and technology sector.
- We remain committed to data privacy and protection with a cyber security strategy that ensures resilience against an ever-changing threat landscape.
- We are dedicated to maintaining compliance and transparency including the self-service portal for Compliance Reports (2020) (PCI, SOC).