Blackbaud Data Breach: What You Need to Know

August 26, 2020 | Article

In the context of cybersecurity and data breaches, there is truly no such thing as 100% prevention. The recent cyberattack on Blackbaud—a cloud computing and software company that provides technology to many nonprofits, foundations, corporations and healthcare organizations alike (among others)—reflects this principle; it’s just a matter of time before a cyberattack affects us directly. As scary as this sounds, it is the unfortunate reality we are currently facing.

Blackbaud Data Breach
On May 14, 2020, Blackbaud was hit with a ransomware attack that wasn’t contained until May 20, 2020, with assistance from their cybersecurity team, law enforcement and outside digital forensic experts. Although the attack was stopped before it could encrypt customer systems and data, the cybercriminals were able to remove a copy of a subset of Blackbaud’s customer data during the compromise.

Reports of the attack indicate that Blackbaud was able to lock the criminals out of their systems, but not before 657,392 records associated with Northern Light Health Foundation, as well as thousands of other nonprofits, healthcare systems, charities, universities and hospital records, were compromised. Reports also indicate that the cybergang threatened to release the stolen data unless Blackbaud paid a ransom demand. Blackbaud paid the demand on the premise that the customer data would be destroyed rather than released.

Blackbaud states that they “have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or disseminated or otherwise made available publicly.” Even so, the company has started to notify customers of the breach.

The notifications indicated personal information, such as names, gender, dates of birth, email addresses, phone numbers and other personal data, may have been exposed. This information can be used to commit identity theft and/or to spearfish (another cyberattack involving utilizing the stolen information to target specific individuals).

The Blackbaud data breach will impact organizations and individuals alike. The aftermath of this data breach has not yet been fully calculated, but it is anticipated that many nonprofit organizations will be affected since Blackbaud is a popular (if not the most popular) nonprofit financial management and donor software vendor. 

How to Prevent, Detect and Respond to Cybersecurity Incidents

What Should Your Nonprofit Do?
If your nonprofit hasn’t received a notification from Blackbaud, we highly recommend you contact Blackbaud to better understand the data breach as it relates to your organization’s data. This is important, as every state has a notification law, and you may have an obligation to notify individuals in which data was compromised. Timing is especially important, so we suggest gaining an understanding of this data breach and the security of your organization’s data sooner rather than later.

Help for Nonprofit Organizations
For nonprofit organizations, experiencing a data breach can be detrimental. Blackbaud is a large organization with many resources capable of containing, remediating and mitigating any information security issues discovered from this breach. In contrast, nonprofits may not have the same resources available to mitigate the compromise of their employees’ and donors’ records.

Cybersecurity isn’t a product you can purchase and install on your systems. Cybersecurity is in an organization’s culture, and, for the most part, is supported by highly technical computer experts, software and hardware. Having said that, there are a few items on most organization’s cybersecurity radar that are relatively inexpensive for even the smallest of organizations to implement.

  • Multi-Factor Authentication (MFA) solutions can be implemented relatively quickly. This protects systems by requiring multiple forms of authentication in order to login to a system. This security feature can be implemented on email systems, remote login technologies, cloud applications, and more. It may be surprising how obtainable MFA can be for your organization.
  • Mobile Device Management (MDM) solutions enhance internal control and access to sensitive company information from a personal mobile device. Most organizations allow employees to use personal devices to access company information. Implementing an MDM solution reduces the risk for malicious mobile access to sensitive information.
  • Passwords have now been cast aside in favor of the use of strong passphrases. Most technology supports the use of passphrases in place of passwords. A passphrase can be an entire sentence in proper case and punctuation. This is now best practice for accessing technology, since passwords are often easier to crack by hackers than passphrases.
  • Cyber-aware people are your best chance of preventing a serious cyberattack. When we go to the beach, we bring sunblock along, just like we take precaution by buckling up to drive our car. Cybersecurity training and awareness may be the last line of defense against a cyberattack. 

If your nonprofit needs assistance with the Blackbaud data breach or mitigating future cybersecurity risks, Eide Bailly’s cybersecurity services are available to help. We have helped numerous other nonprofits through data breaches and would like to help your nonprofit mitigate its cybersecurity risks.

Stay current on your favorite topics


Learn More

See what more we can bring to organizations just like yours.

Nonprofit Higher Education

Take a deeper dive into this Insight’s subject matter.

Cybersecurity Nonprofit