Over 50 universities in the UK, US, Canada, and New Zealand, have been affected when Blackbaud was cyber-attacked in May 2020.
It is said that the hacker accessed names, titles, gender, dates of birth, student numbers, addresses, phone numbers, email addresses as well as LinkedIn profile URLs. Blackbaud was able to shut down the attack quickly but it was not able to prevent the hacker from stealing a sub-set of data from the hosted environment.
Only in July did Blackbaud disclose this attack to the public citing that they had paid the demanded ransom and have no reason to believe that the sub-set of data has not been destroyed. As well, third-party investigations show no evidence that the data has been shared by the cybercriminal.
Blackbaud is now heavily criticized for not having disclosed this breach earlier as well as for paying a ransom that they have declined to divulge. Although paying a ransom is not illegal, it does go against the advice of numerous law enforcement agencies.
Although Blackbaud has not disclosed the exact amount, the average ransom payment is 85,000 USD, say security experts.
Most customers who were affected by this attack experienced no outages as Blackbaud remained operational throughout the ordeal. However, some universities are launching their own investigations and are suspending their use of Blackbaud.
Some have speculated that the breach was specific to the ResearchPoint application and not Raiser’s Edge but others have said that this also affects Financial Edge customers and the Blackbaud NetCommunity product.
We have mapped out the institutions that have been in the media or have submitted a news alert to its community. Based on this information and the information contained in our database, we can see that the institutions affected do not all have only one system in common. The list of systems below and the numbers on the right represent the number of institutions that are currently using the system (those that have publicly confirmed a data breach).
Awards Management 3
Blackbaud CRM 8
Financial Edge 2
Raiser’s Edge 31
Our database contains over 700 higher education clients of Blackbaud. As mentioned above, we now found over 50 that have issued public statements. Those institutions can be seen in orange on the map. The blue dots represent all other current clients.
We have seen several universities that are actively asking questions about who is doing what and sharing information with one another. This could imply that multiple other institutions have been affected.