Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine

The same lot who bought off crooks in May but kept quiet till July

+Comment Blackbaud, the cloud CRM provider whose execs bought off ransomware crooks in exchange for a pinky promise that stolen data would not be misused, has now confessed that customers' bank account information may have been taken from its servers by the criminals.

In a US stock market 8-K filing [PDF], Blackbaud admitted the ransomware infection in May potentially resulted in miscreants making off with banking details.

The filing, signed by Blackbaud CFO Tony Boor, said: "After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible."

That is the clear opposite of statements it made two months after the hack, when Blackbaud said: "The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."

Woman reads book, sips tea on couch. Photo by Shutterstock

Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics


Boor added in this week's filing: "These new findings do not apply to all customers who were involved in the security incident."

Blackbaud's latest assurances will come as cold comfort for those British students and university lecturers whose personal data was stored on Blackbaud's servers by their institutions. The company's cloud-based CRM is used predominantly by charities and further education bodies looking to capture details of current and potential future donors to their coffers.

In July Blackbaud belatedly remembered to tell the world that the ransomware attack, data theft, and subsequent buying-off of crooks had taken place in May.

In the following month, as breach notifications percolated through charities and educational institutions, chief exec Michael Gianoni airily boasted to financial analysts that the company had "stopped" the ransomware. Boor added, on the August call, that the firm's cyber-insurance policy would ensure there was no "material financial impact" from the ransomware attack.

Reg comment: This is stupid

Unfortunately for those who make a living trying to defend systems against ransomware intrusions and other deliberate attacks, Blackbaud has set a series of dangerous precedents.

It was very slow to tell its corporate customers that it had been breached and paid off the criminals; its management have airily insisted to the stock market that all is well despite them doing all the wrong things, from an infosec point of view; and it has publicly relied on cyber insurance making good its losses, presenting investors with a net-zero-loss scenario as if that was nothing to worry about.

In the absence of clear financial or regulatory consequences for Blackbaud's management, other corporations will be tempted to copy this approach – making criminals rich and the online world less safe. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022