Over the course of May, June, and July 2020, Blackbaud suffered a ransomware cyber-attack. At this time, the hacker was able to access personal information in the company database: names, titles, gender, dates of birth, student numbers, addresses, phone numbers, email addresses as well as LinkedIn profile URLs. From what the company has said, the breach was quickly contained, but the damage was done.
When Blackbaud decided to disclose the attack in July and August, they were then blamed by their clients (universities, health companies as well as non-profit organizations) for the “heightened risk of identity theft and fraud due to Blackbaud’s ‘negligent conduct’ with regard to safeguarding the sensitive information of thousands of students, patients, doctors, and donors.” (Allen v. Blackbaud).
More recently, I have learned that, in some cases, the hacker was able to obtain partial credit card numbers. Universities are unsatisfied with the way Blackbaud minimized this aspect of the cyber-attack.
One of my professional connections mentioned that his university reached out to their legal firm to see if a partial credit card number constitutes a breach. From the different conversations between Blackbaud and its clients, Blackbaud never seemed to define partial credit card numbers as credit card information. Another contact even pointed out a possible phishing situation where a malicious person could send a text to one alumni/donor asking to update their credit card information on the XYZ e-commerce website.
In addition to the class action filed on August 12, 2020, by Allen, another one (Johnson v. Blackbaud) has been brought to the media attention on September 4, 2020. Both class actions mention that the company neglected to properly store personal information on its computer network. Among the requisitions from Johnson (p. 4), one is that Blackbaud needs to adopt reasonably sufficient security practices to safeguard the personal information that remains in its custody in order to prevent incidents like the data breach from reoccurring in the future.
On its website, Blackbaud created a page on the ‘security’ incident. The vocabulary used tries to minimize the situation and shows how the company has invested in professional security personnel within the last five years. A question many may ask is: why did the data breach happen if this team was at work trying to avoid this kind of attack?
The graph above shows the number of new clients in green and the number of clients lost in red. As you can see, Blackbaud has had a positive relationship with its customers and gained over time more customers than it lost. The only exception is the year 2020. Since 2020 is… 2020, I can’t explain if this is due to the data breach or it is simply because several selection committees have been stopped or even that resources have simply been reallocated.
At the moment, I don’t know exactly how this security breach will impact Blackbaud in the future, especially with regards to maintaining its client base or attracting new clients. Some institutions have been asking if other solutions can be used in place of Blackbaud; but since they are still under contracts with Blackbaud, these alternatives will have to wait. One thing is certain, these class actions may impact the perception clients have on how Blackbaud reacts in a security crisis.