+Comment Blackbaud, the cloud CRM provider whose execs bought off ransomware crooks in exchange for a pinky promise that stolen data would not be misused, has now confessed that customers' bank account information may have been taken from its servers by the criminals.
In a US stock market 8-K filing [PDF], Blackbaud admitted the ransomware infection in May potentially resulted in miscreants making off with banking details.
The filing, signed by Blackbaud CFO Tony Boor, said: "After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible."
That is the clear opposite of statements it made two months after the hack, when Blackbaud said: "The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academicsREAD MORE
Boor added in this week's filing: "These new findings do not apply to all customers who were involved in the security incident."
Blackbaud's latest assurances will come as cold comfort for those British students and university lecturers whose personal data was stored on Blackbaud's servers by their institutions. The company's cloud-based CRM is used predominantly by charities and further education bodies looking to capture details of current and potential future donors to their coffers.
In July Blackbaud belatedly remembered to tell the world that the ransomware attack, data theft, and subsequent buying-off of crooks had taken place in May.
In the following month, as breach notifications percolated through charities and educational institutions, chief exec Michael Gianoni airily boasted to financial analysts that the company had "stopped" the ransomware. Boor added, on the August call, that the firm's cyber-insurance policy would ensure there was no "material financial impact" from the ransomware attack.
Reg comment: This is stupid
Unfortunately for those who make a living trying to defend systems against ransomware intrusions and other deliberate attacks, Blackbaud has set a series of dangerous precedents.
It was very slow to tell its corporate customers that it had been breached and paid off the criminals; its management have airily insisted to the stock market that all is well despite them doing all the wrong things, from an infosec point of view; and it has publicly relied on cyber insurance making good its losses, presenting investors with a net-zero-loss scenario as if that was nothing to worry about.
In the absence of clear financial or regulatory consequences for Blackbaud's management, other corporations will be tempted to copy this approach – making criminals rich and the online world less safe. ®