Cyber Case Study: Blackbaud Supply Chain Ransomware Attack
In 2020, Blackbaud—a cloud software company that services a range of health care organizations, educational institutions and other nonprofits across North America and the United Kingdom—was targeted in a ransomware attack. Although Blackbaud provided the cybercriminal responsible for the attack with a ransom payment, this incident still led to a number of the company’s customers having their sensitive data compromised, ultimately impacting hundreds of organizations and millions of individuals. The Blackbaud supply chain ransomware attack emphasized the potential supply chain exposures created by ransomware attacks, as well as the cybersecurity risks that can persist even after a ransom payment is made.
Apart from experiencing significant recovery expenses and litigation concerns from this attack, Blackbaud also encountered wide-spread criticism for its poor response tactics and initial lack of transparency regarding the incident. There are various cybersecurity lessons that organizations can learn by reviewing the details of this attack and its impact. Here’s what your organization needs to know.
The Details of the Blackbaud Supply Chain Ransomware Attack
On Feb. 7, 2020, a cybercriminal gained unauthorized access to Blackbaud’s donor software program for nonprofits, known as Raiser’s Edge. The cybercriminal leveraged sophisticated tactics to infiltrate this program and mimic legitimate customer activity, thus preventing Blackbaud’s endpoint detection systems from registering any security concerns. From there, the cybercriminal started accessing and attempting to encrypt sensitive data from Raiser’s Edge—data that belonged to Blackbaud’s customers and their donors.
The cybercriminal’s activity went undetected for several months until May 14, 2020. At that point, Blackbaud’s cybersecurity team became aware of the incident due to a suspicious login attempt. With the help of forensic experts and law enforcement, this team was able to expel the cybercriminal from Raiser’s Edge and prevent them from blocking program access or fully encrypting any sensitive data on June 3, 2020. Nevertheless, the cybercriminal was able to make a copy of a subset of sensitive data contained within the program before being removed. The cyber-criminal then used this copy to carry out a ransomware attack on June 18, 2020, threatening to expose the sensitive data if they didn’t receive payment. As such, Blackbaud decided to pay the cybercriminal under the terms that they would destroy the copy.
The company didn’t inform the public of the incident until July 16, 2020. On this date, Blackbaud issued a statement outlining the details of the attack and explaining that it had paid the cybercriminal’s ransom demand. Within this statement, the company claimed that no personally identifiable information (PII) was compromised amid the incident. Further, Blackbaud emphasized that it had no reason to believe that any data would be misused or made public in the future.
Yet, a regulatory filing later revealed that various PII had been compromised during the attack. Such PII included Social Security numbers, driver’s license numbers, passport numbers, health and financial information, dates of birth, email addresses, phone numbers, mailing addresses, donation dates, donation amounts and additional donor profile information. According to the Identity Theft Resource Center, the incident impacted an estimated 536 organizations and 13 million individuals throughout the United States, Canada and the United Kingdom. Several notable organizations were among those affected, including National Public Radio, Vermont Foodbank, Human Rights Watch, Northwest Immigrant Rights Project, Young Minds, the Smithsonian and more than 10 universities in England. What’s worse, the message that Blackbaud received from the cybercriminal claiming that the copy of the data had been destroyed was quite vague—leading some cybersecurity experts to believe that the copy still exists and could be used in future attacks.
The Impact of the Blackbaud Supply Chain Ransomware Attack
Blackbaud experienced a number of consequences from this cyber incident, including the following:
Recovery costs
Apart from paying an undisclosed ransom amount during this attack, Blackbaud also faced a range of recovery expenses. According to the U.S. Securities and Exchange Commission, Blackbaud incurred costs of more than $3 million in recovering from the attack between July and September 2020. These expenses include notifying impacted customers, investigating the cause of the incident and implementing improved cybersecurity measures to prevent future attacks.
Reputational damages
Blackbaud encountered widespread criticism for complying with the cybercriminal’s demands and providing them with a ransom payment during this attack. After all, the FBI encourages organizations to refrain from making such payments, as there’s no guarantee that the cybercriminal will follow through on their promises, potentially resulting in future incidents. The company also faced significant scrutiny for taking an extended period to notify the public (and impacted customers) of the attack, as well as for their initial lack of transparency regarding the incident. By failing to acknowledge the possibility that PII had been compromised amid the attack, Blackbaud undoubtedly lost some degree of both customer and public trust when the truth eventually came out.
Litigation concerns
In the aftermath of the attack, Blackbaud was sued in a total of 23 putative consumer class action lawsuits, including 17 in U.S. federal courts, four in U.S. state courts and two in Canadian courts. These lawsuits allege that Blackbaud failed to prevent, detect and respond to the attack adequately. Further, these lawsuits allege that Blackbaud didn’t take reasonable measures to protect customers’ and donors’ PII, nor did it properly identify how much data was compromised. Additionally, Blackbaud failed to comply with the notification requirements outlined in the United Kingdom’s General Data Protection Regulation (GDPR). Under the GDPR, organizations must notify both regulators and customers within 72 hours of detecting a cyber incident. Blackbaud took several weeks to issue such notifications.
Lessons Learned
There are several cybersecurity takeaways from the Blackbaud supply chain ransomware attack. In particular, the incident showcased these vital lessons:
Nonprofits are key targets for cybercriminals.
Due to the vast amount of PII that nonprofits often store within their donation and fundraising systems, these organizations are often top targets for cybercriminals. This point was further emphasized by the Blackbaud incident, as a cybercriminal leveraged the company’s software to access nonprofits’ data. According to a recent survey from the Institute for Critical Infrastructure Technology, 50% of nonprofits have experienced a ransomware attack at some point. Despite this number, data from the Nonprofit Technology Enterprise Network found that more than two-thirds (68%) of nonprofits lack documented cybersecurity policies and procedures, whereas 59% don’t provide routine cybersecurity training to their staff—making them increasingly vulnerable to an attack. With this in mind, it’s crucial for nonprofits to prioritize cybersecurity measures to prevent potentially costly incidents.
Supply chain exposures must be considered.
This attack stressed how critical it is for organizations to evaluate and address security concerns within their supply chains. Even if an organization follows proper cyber policies and procedures internally, a compromised supplier could still end up threatening its security and digital assets. Supply chain exposures can stem from various avenues—including vendors with access to organizational networks, third parties with inadequate data storage measures and suppliers with poor overall cybersecurity practices. While it’s not possible to eliminate supply chain risks completely, there are several steps organizations can take to help reduce these exposures, such as incorporating cybersecurity expectations into vendor contracts, minimizing access that third parties have to organizational data and monitoring suppliers’ compliance with supply chain risk management procedures.
Cyber incident response plans make a difference.
Blackbaud took an extended period to respond to this incident, drawing widespread criticism and compounding the overall costs associated with the attack. Such lengthy recovery issues highlight how essential it is to have an effective cyber incident response plan in place. This type of plan can help an organization establish timely response protocols for mitigating losses and acting appropriately amid a cyber event. A successful incident response plan should outline potential cyberattack scenarios, methods for maintaining key functions during these scenarios and the individuals responsible for carrying out such functions. The plan should also provide procedures for notifying relevant parties (e.g., customers, shareholders and regulators) of an attack. This plan should be routinely reviewed through different activities (i.e., tabletop exercises) to ensure effectiveness and identify ongoing vulnerabilities. Based on the results from these activities, the plan should be adjusted as needed.
Ransomware attacks carry unique ramifications.
It’s important to note that Blackbaud made a mistake in complying with the cybercriminal’s demands and paying the ransom during the attack. While doing so may allow for a faster incident recovery process, it can lead to future cybersecurity concerns down the road if cybercriminals don’t hold true to their word. That being said, it’s best to contact law enforcement immediately upon discovering a ransomware attack, as this practice can help minimize potential losses, improve incident investigation processes and better identify perpetrators.
Cybersecurity compliance is critical.
Blackbaud faced significant regulatory ramifications from failing to uphold adequate cybersecurity measures and comply with the GDPR’s notification requirements. This incident showcased how vital it is to remain compliant with applicable cybersecurity laws—especially as such legislation becomes increasingly common. In fact, a number of states have enacted stricter cybersecurity laws in recent years (e.g., California, Maine and Nevada). Looking ahead, it’s certainly possible for additional states to follow suit. As cybersecurity legislation continues to evolve, consulting appropriate legal counsel can help simplify the compliance process.
Proper coverage can provide much-needed protection.
Finally, this attack made it clear that no organization—not even a major cloud software provider—is immune to cyber-related losses. That’s why it’s crucial to ensure adequate protection against potential cyber incidents by securing proper coverage. Specifically, most organizations can benefit from having a dedicated cyber insurance policy. However, it’s best to consult a trusted insurance professional when navigating these coverage decisions.
We can help.
If you’d like additional information and resources, we’re here to help you analyze your needs and make the right coverage decisions to protect your operations from unnecessary risk. You can download a free copy of our eBook, or if you’re ready to make Cyber Liability Insurance a part of your insurance portfolio, Request a Proposal or download our Cyber & Data Breach Insurance Application and we’ll get to work for you.