Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine

The same lot who bought off crooks in May but kept quiet till July

+Comment Blackbaud, the cloud CRM provider whose execs bought off ransomware crooks in exchange for a pinky promise that stolen data would not be misused, has now confessed that customers' bank account information may have been taken from its servers by the criminals.

In a US stock market 8-K filing [PDF], Blackbaud admitted the ransomware infection in May potentially resulted in miscreants making off with banking details.

The filing, signed by Blackbaud CFO Tony Boor, said: "After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible."

That is the clear opposite of statements it made two months after the hack, when Blackbaud said: "The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."

Woman reads book, sips tea on couch. Photo by Shutterstock

Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics


Boor added in this week's filing: "These new findings do not apply to all customers who were involved in the security incident."

Blackbaud's latest assurances will come as cold comfort for those British students and university lecturers whose personal data was stored on Blackbaud's servers by their institutions. The company's cloud-based CRM is used predominantly by charities and further education bodies looking to capture details of current and potential future donors to their coffers.

In July Blackbaud belatedly remembered to tell the world that the ransomware attack, data theft, and subsequent buying-off of crooks had taken place in May.

In the following month, as breach notifications percolated through charities and educational institutions, chief exec Michael Gianoni airily boasted to financial analysts that the company had "stopped" the ransomware. Boor added, on the August call, that the firm's cyber-insurance policy would ensure there was no "material financial impact" from the ransomware attack.

Reg comment: This is stupid

Unfortunately for those who make a living trying to defend systems against ransomware intrusions and other deliberate attacks, Blackbaud has set a series of dangerous precedents.

It was very slow to tell its corporate customers that it had been breached and paid off the criminals; its management have airily insisted to the stock market that all is well despite them doing all the wrong things, from an infosec point of view; and it has publicly relied on cyber insurance making good its losses, presenting investors with a net-zero-loss scenario as if that was nothing to worry about.

In the absence of clear financial or regulatory consequences for Blackbaud's management, other corporations will be tempted to copy this approach – making criminals rich and the online world less safe. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Planning for power cuts? That's strictly for the birds

    Please Mr Hitchcock, no more. The UPS can't take it

    Who, Me? "Expect the unexpected" is a cliché regularly trotted out during disaster planning. But how far should those plans go? Welcome to an episode of Who, Me? where a reader finds an entirely new failure mode.

    Today's tale comes from "Brian" (not his name) and is set during a period when the US state of California was facing rolling blackouts.

    Our reader was working for a struggling hardware vendor in the state, a once mighty power now reduced to a mere 1,400 employees thanks to that old favourite of the HR axe-wielder: "restructuring."

    Continue reading
  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading

Biting the hand that feeds IT © 1998–2022