I received an apology email from my Alma Mater. Here's an extract. The last para makes an explicit statement that Blackbaud paid the ransom.
On Thursday, 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.
Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education and not-for-profit sectors.
It informed us that in May it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of universities using its services have been affected, including the University of Leeds.
The company assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information.
We are continuing to work closely with Blackbaud to determine exactly what personal data was compromised. We understand that other clients of Blackbaud have been affected in different ways, with varying types of data involved. In our case, it appears that names and email addresses for some members of our alumni and supporter community were affected. Information on the sums given as gifts or event payments through the alumni web portal, Leeds Alumni Online, may also have been affected, although not any bank account or credit card details. As we understand that you haven’t used our website to make any financial transactions, this aspect will not affect you.
Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that – based on the nature of the incident, its research, and investigation by third parties (including law enforcement) – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
Selwyn College, Cambridge issued a similar statement:
> We recently learned that Selwyn was one of a number of educational and voluntary sector organisations in Cambridge, the UK and across the world to have been affected by a data breach at the US company Blackbaud. [...] In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that having paid the ransom it received assurances that this data had been destroyed and since then there has been no indication that this data remains in circulation.
They also linked to Blackbaud's statement, which confirms they paid the ransom:
> Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Incidentally, the notification was sent via Blackbaud, and appears to track that I clicked through to the statement (URL includes bblinkid/bbemailid/bbejrid parameters).
Can you imagine having a Chief We-have-been-pwned Officer who is responsible for building relationships with criminals so that they would actually delete your data rather than resurface it years later when nobody remembers (not even you) you having lost it?
The funny thing in this is that the criminals are pseudonymous at best and you can clone pseudonyms as much as you like.
Also have you never worked for a corporation? My first thought is that the management went for the first most obvious solution that is paying the money.
The ACLU has been affected as well. From the email they sent out yesterday:
In all candor, we are frustrated with the lack of information we've received from Blackbaud about this incident thus far. The ACLU is doing everything in our power to ascertain the full nature of the breach, and we are actively investigating the nature of the data that was involved, details of the incident, and Blackbaud's remediation plans.
We are also exploring all options to ensure this does not happen again, including revisiting our relationship with Blackbaud.
Throwaway account - I am in charge of IT from one of the universities affected and am angry at how blackbaud has been so slow at communicating this to us. Even when we asked them the exact fields/data that was stolen they just gave us vague answers.
Our contract with them ends soon and we will definitely not be renewing when it’s up.
true. but it usually isn't worth the effort, as that would involve getting lawyers involved. easier to not renew.
plus most places will need some time to put an alternative in place. it's commendable if anybody manages to convince management and does this though. inertia and i imagine blackbaud did provide significant value/functionality?
Yeah. One thing which is glaringly obvious from the news reports is that there is no mention of blackbaud identifying the vulnerability and resolving it.
On the basis that
A) Blackbaud did not inform it's customers promptly
B) The vulnerability is potentially still out there so further data leaks can happen in the future
I think every single organisation using Raisers Edge needs to plan on a migration to a new system. A big and ugly task but I can't see how anyone would think it is responsible to keep their data stored with this organisation.
Not got a stake in it or anything but I work at a charity who use Microsoft D365 (which for charities is dirt cheap) and we are feeling very relieved that we did not decide to use Raisers Edge.
> The timescales in play here seem terrible from Blackbaud's discovery to initial report.
That’s going to keep happening until someone gets the book thrown at them for slow-walking a response. I know this is a pretty anti-regulatory crowd, but we can’t expect this behavior to change if there are no consequences.
You think a ratings system would deter companies from misbehaving?
The credit rating agencies have some of the lowest consumer confidence scores in the entire country, and yet Equifax suffered no consequences from its massive breach a few years ago.
Also, your suggestion is opt-in. Why would any company volunteer themselves to be scrutinized in such a faux way?
But it doesn’t follow that all rating systems will be garbage for all time.
The rating system would not deter misbehavior. ‘Misbehavior’ in this case is just competence. The rating system would give clients some transparency into the competence of the service provider.
Any company that was confident in its processes would volunteer for scrutiny because it would be positive for their credibility, just like other independent certifications.
The question would then become - why would a customer choose an unrated company?
For those unfamiliar, Blackbaud produce software that is (mainly) used for harassing^W updating alumni on university developments and asking them for money.
I think Raiser's Edge is used quite a bit in the sector, though I believe there are on-prem as well as cloud variants of the software?
The on-prem Raiser's Edge hasn't been updated in a long time and is being phased out with the preference being for RENXT cloud version.
A lot of charities use Raiser's Edge, I wonder if they are also affected?
Although that BBC report says
"One of the affected institutions told the BBC the hack is affecting a product called NetCommunity which Blackbaud describes on its website as an 'alumni engagement and management software system for nonprofits.'"
... so maybe Raiser's Edge was not part of the hack
How does asking for money make sense in case of for-profit, paid universities? You're saying that people pay them a significant amount of money for tuition, complete it, and now the university is asking for more money?
Yep. In my case, as a student, we wanted to take part in competitive programming. We won a few national competitions, and attempted an international one. We asked the department about funding for the trip (flights+hostel accom+food for 8 people), and they came back a week later saying they had spoken to some alumni who sponsored the entire trip. All they wanted im return was for us to write in the alumni newsletter about it and to consider keeping it up going forwards. 10 years later and I have no idea who it was or why they gave us the €4000.
Asking alumni for donations is done very frequently by non-profit private universities, which you're probably confusing for for-profit. Harvard is an example of such a university.
I don't know if for-profit schools also ask for donations, but those sort of schools are generally quite disreputable and frankly low class. An example is the now-defunct ITT Tech, which was best known for spamming cheap cable television ads.
Yes, this a big part of how Colleges and Universities are funded.
Alumni tend to contribute either to leave a legacy behind or to help the College maintain it's reputation, which in turn helps the alum's reputation for having graduated from there.
>to help the College maintain it's reputation, which in turn helps the alum's reputation for having graduated from there.
Surely this can't work without some aultrism involved? I find it doubtful that any alumni can get 10k of benefit from the increased reputation that a 10k donation can provide.
That's not how reducing your taxable income works.
If you earn 50K, you net 37640. 51K and you get 38220.
If you earn 51K and donate 1K, you net exactly the same as if you just earned 50000. i.e. 580 less than if you had just kept it (If you had put it in your pension instead, you would have kept the whole 1000)
There may be some circumstances where it makes a difference, where certain thresholds could be crossed, but AFAIK, the way they all taper prevents that.
You can only get a tax break on 40K of pension contributions, so if you earn 91-101K and claim child benefit, without another pre-tax vehicle to soak up the rest, you'd have to pay the clawback charge. However, I doubt that would work. With 3 children you'd have to donate 10K to save about 2.5K.
If you earn something around 300K, it might do something because of the tapered pension allowance. Again, I doubt it. At 250K, if you donate 10K, you can put an extra 5K in your pension. Above that, I don't think there are any more thresholds.
You assume the funds are disbursed by individuals rather than vehicles, you don’t specify which legislation you’re considering, etc etc etc. I don’t think you have enough facts here to start crunching numbers. In the UK for example there is Gift Aid for individuals: https://financial-coaching.co.uk/blog/post/self-assessment-a...
A number of schemes exist around various countries to promote incentives to donate, and they typically end up with people paying less tax overall than they would otherwise. (Note: I don’t think it’s a bad thing, no critique meant).
Yes, you pay less tax overall, but the reason for that is that the money is treated as having been given to the charity pre-tax. It does not make your net income go up.
In the illustration in your link, Sue gives 1k to charity, and as a result, and pays 350 less tax. This means that, as a result of this donation, her net income has fallen by 650.
I did not provide the specific names of all the rules, but I thought that would be obvious from the numbers, context, and some of the terms
I had not considered the difference between payroll giving (my first example,give 1k before tax, charity gets 1k, your taxable income is 1k less), and claiming back (you give 1k after tax, charity gets 1.25k, you reclaim some of the tax you paid), but payroll giving is more efficient for the donor, as they pay zero tax on the donation, rather than basic rate, as in the reclaim method.
There is no UK legislation, as far as I know, that reduces your tax bill by more than your donation.
Briefly, my point is that tax efficient charitable donation schemes can only be said to benefit the donor if you start with the assumption that part of their lifestyle includes the charities getting a certain amount. E.g. if I want the charity to get 1.25k, I only have to spend 1k for that to happen.
The schemes amplify the effects of existing altruism, rather than offering incentives to persuade non-donors to donate.
Not at liberty to say which Unis, but this is much wider than initially reported. A lot of American universities were affected as well. They are still measuring the fallout, and how best to respond. We were only told last week.
Reputational damage happens anyway, once news of the first breach/ransom goes out (which it will, it’s increasingly mandated by law). Second time around they might as well fold.
A prolonged extortion scheme can only be done on a low-scale highly-targeted basis, where you can ensure word doesn’t get out.
If the hackers don't delete the data and use it for something else, nobody will ever pay them again.
Most cryptolockers and other random criminals do exactly what they promise because if they don't, their business model will collapse. All of the stolen info isn't worth nearly as much as what universities are willing to pay out if you keep your promises.
It's wicked, but these criminals do have a business incentive to be nice. Their next target will probably pay again if they act smart.
I still very much doubt they actually destroy the data though. They could easily be keeping everything and then once the ransomware stops paying as well, they'll start profiting from what they've stolen.
I wonder if a university could protect themselves from this form of attack by amending their bylaws (or some other similarly legally-binding-and-hard-to-amend policy) to say, "We will not pay any ransoms for X, Y, or Z", and then publicise that decision widely, so any potential criminals know that there's no money to be made in targeting them.
It might, unless the attackers see it as a challenge. Many types of cybersecurity insurance won't pay out if you don't or will be more expensive than paying out, so it also might be an expensive bet to take.
The problem is that smart criminals don't directly attack a single corporation or university, they'll attack a SAAS/IAAS/PAAS provider many of their potential targets use and see what they can get out of the data. In this instance even one university paying out would probably be enough to offset the risk and cost of the criminal operation.
In many cases, paying out is also the economical choice to take, especially in ransomware attacks. Even if backups were made, tested and recent, paying a million here and there might still be worth it if not doing so would cost weeks or even months of work and employees and students lacking IT services. With modern education being run like a business, I'm not sure if it'd even make sense to bet on such a statement to be worth it. You may shoot yourself in the foot when you eventually do get hit and you need to either spend lots of time and money or break the promise you made on your website (betraying your employees and students in the process by showing that you cannot hold up the values you claim to have).
Maybe so. In this case the breach occurred at a third party software vendor. You’d need to write a similar guarantee into any contracts you signed with vendors.
If a significant number of players defect, the scam as a whole would stop working.
Presumably all competent scammers benefit from being able to repeat the scam, and would lose out if the scam stopped working, so they all have an incentive not to defect.
Scams like this depend on the scammers understanding the incentives better than their targets and so it’s reasonable to assume that the scammers are aware of the context.
Yup, we received emails from them about it - we graduated nearly 20 years ago. I guess that's the price you pay when you say "yes, send me an alumni email every so often"
The individual party incentives in ransomware are all to pay it, which encourages future attacks, only the long-term, societal view discourages payment.
The victim (individual organization or SaaS provider) wants to just have it end.
The ransomer has the incentive to build the pattern of "pay the ransom and nobody gets hurt [in this incident]", because it builds the business model.
Cybersecurity insurance exacerbates the problem, because the insurer knows that payouts solve the incident for the insured at a relatively low cost, and that each incident perversely increases the need organizations have for the insurance.
Conversely, if no one pays ransoms, it immediately ceases being a viable criminal business model.
I've read in some article that insurance companies are actually encouraging the hackers by forcing their insured victims to pay the ransom instead of try to recover on their own or fight back the hackers in any way.
That’s the way it works with liability insurance — if you want the coverage, it’s up to them, not you whether you settle or fight. But one would hope in the insurers are smart enough not to encourage bad behavior.
I’m sure the appropriate sanction for Blackbaud would bankrupt the company. While that is probably the best outcome long term, it doesn’t help anyone now.
How was trusting the word of a bunch of criminals, with no reason to follow through with deleting the data, the correct course of action? Isn’t a failure to disclose what data was comprised, and how, a breach of GDPR?
There are a lot of issues I take with their response so far.
Note: I am An admin that administers part of their product suite, that has mostly not been affected to my
Knowledge because we are mostly using heir products on-prem
1. This isn’t a ransomware attack in the traditional sense. They had an intrusion starting in February that they noticed in May because the actor was sending data offsite. They then held that data for ransom. That’s not ransomware, that’s getting hacked.
2. They will not tell people what specific data was exposed. Only “internal systems”. That may include things like customers that have on prem solutions but have to send backups of their DB for support etc. BLackbaud won’t say anything.
3. There is no way to confirm the malicious actors didn’t have copies of their own data that wasn’t deleted. It got out of their control and they lost all chain of custody. They are literally trusting criminals here as a way to say it’s not exposed (and hiring some firm to “monitor the dark web” for data)
4. While some data is encrypted, hows it’s encrypted in at least a few cases I know of isn’t exactly secure. For example in one product the encryption key is stored in a stored procedure packaged into their compiled installer and is placed into an ssis package on any sql instance the product is installed. It’s the same key for all customers (and I’ll just say isn’t randomized or very hard to iterate). If the actors got any access to their installers, all they would have to do is join the database to the installer and boom, encryption is useless.
I forgot the exact GDPR laws but I think if they failed to disclose the security breach within 3 days of discovery they are subject to a fine of 4% of their revenue.
Up-to 4% of their global revenue or €20,000,000 whichever is higher. Those are the maximum fines they can levy (per incident), but in reality it's very unlikely to be that high.
And yes, you are correct, organisations have 72 hours to disclose the breach.
The various data protection offices (such as the ICO in the UK) usually try to work with organisations first. If Blackbaud aren't playing ball though, they may be in for a rough ride (assuming that they actually operate where the EU has jurisdiction that is).
Slightly nitpicky but the 72 hour piece is wrong here
A data controller has 72 hours to notify the ICO (or other supervisory authority). A data processor has no such obligation [unless specified as part of the data processing agreement DPA]
Most DPA will state asap s.t the controller can notify
But in this instance Blackbaud would almost certainly be a processor
Article 28 makes it a requirement that the processor and the controller arrange for this notification requirement to be arranged between them. A failure to do so by the processor would likely make them liable. The processor is only able to discharge itself from this liability if they notify the controller promptly.
On Thursday, 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.
Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education and not-for-profit sectors.
It informed us that in May it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of universities using its services have been affected, including the University of Leeds.
The company assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information.
We are continuing to work closely with Blackbaud to determine exactly what personal data was compromised. We understand that other clients of Blackbaud have been affected in different ways, with varying types of data involved. In our case, it appears that names and email addresses for some members of our alumni and supporter community were affected. Information on the sums given as gifts or event payments through the alumni web portal, Leeds Alumni Online, may also have been affected, although not any bank account or credit card details. As we understand that you haven’t used our website to make any financial transactions, this aspect will not affect you.
Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that – based on the nature of the incident, its research, and investigation by third parties (including law enforcement) – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.