In the context of cybersecurity and data breaches, there is truly no such thing as 100% prevention. The recent cyberattack on Blackbaud—a cloud computing and software company that provides technology to many nonprofits, foundations, corporations and healthcare organizations alike (among others)—reflects this principle; it’s just a matter of time before a cyberattack affects us directly. As scary as this sounds, it is the unfortunate reality we are currently facing.
Blackbaud Data Breach
On May 14, 2020, Blackbaud was hit with a ransomware attack that wasn’t contained until May 20, 2020, with assistance from their cybersecurity team, law enforcement and outside digital forensic experts. Although the attack was stopped before it could encrypt customer systems and data, the cybercriminals were able to remove a copy of a subset of Blackbaud’s customer data during the compromise.
Reports of the attack indicate that Blackbaud was able to lock the criminals out of their systems, but not before 657,392 records associated with Northern Light Health Foundation, as well as thousands of other nonprofits, healthcare systems, charities, universities and hospital records, were compromised. Reports also indicate that the cybergang threatened to release the stolen data unless Blackbaud paid a ransom demand. Blackbaud paid the demand on the premise that the customer data would be destroyed rather than released.
Blackbaud states that they “have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or disseminated or otherwise made available publicly.” Even so, the company has started to notify customers of the breach.
The notifications indicated personal information, such as names, gender, dates of birth, email addresses, phone numbers and other personal data, may have been exposed. This information can be used to commit identity theft and/or to spearfish (another cyberattack involving utilizing the stolen information to target specific individuals).
The Blackbaud data breach will impact organizations and individuals alike. The aftermath of this data breach has not yet been fully calculated, but it is anticipated that many nonprofit organizations will be affected since Blackbaud is a popular (if not the most popular) nonprofit financial management and donor software vendor.
How to Prevent, Detect and Respond to Cybersecurity Incidents
What Should Your Nonprofit Do?
If your nonprofit hasn’t received a notification from Blackbaud, we highly recommend you contact Blackbaud to better understand the data breach as it relates to your organization’s data. This is important, as every state has a notification law, and you may have an obligation to notify individuals in which data was compromised. Timing is especially important, so we suggest gaining an understanding of this data breach and the security of your organization’s data sooner rather than later.
Help for Nonprofit Organizations
For nonprofit organizations, experiencing a data breach can be detrimental. Blackbaud is a large organization with many resources capable of containing, remediating and mitigating any information security issues discovered from this breach. In contrast, nonprofits may not have the same resources available to mitigate the compromise of their employees’ and donors’ records.
Cybersecurity isn’t a product you can purchase and install on your systems. Cybersecurity is in an organization’s culture, and, for the most part, is supported by highly technical computer experts, software and hardware. Having said that, there are a few items on most organization’s cybersecurity radar that are relatively inexpensive for even the smallest of organizations to implement.
If your nonprofit needs assistance with the Blackbaud data breach or mitigating future cybersecurity risks, Eide Bailly’s cybersecurity services are available to help. We have helped numerous other nonprofits through data breaches and would like to help your nonprofit mitigate its cybersecurity risks.