Security Incident

Updated September 29, 2020

The Cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time—a threat to all companies around the world. Like many in our industry, Blackbaud encounters millions of attacks each month, and our expert Cyber Security team successfully defends against those attacks while constantly studying the landscape to stay ahead of this sophisticated criminal industry. We wanted to notify our customers and other stakeholders about a particular security incident that recently occurred.

Summary of Incident

In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.

Explanation of Involvement

The majority of our customers were NOT part of this incident. This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted (private cloud) environment. No entire product line or private cloud datacenter was part of the incident, which means that how one customer was involved may not be the same as another. Our Blackbaud Merchant Services payment service was not part of this cyber-attack. Because the data involved varied from customer to customer, it is important that our customers speak with Blackbaud to determine their specific level of involvement, if any at all. We have contacted all involved customers to explain their circumstances and provide support.

For those customers where Blackbaud directly communicated involvement in the security incident:

  • The cybercriminal did not access credit cardholder data.
  • Further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the incident. Customers who this applies to who we believe are using these fields for such information were contacted the week of September 27, 2020 and were provided with additional support.

We sincerely apologize that this happened and will continue to partner closely with our customers as we jointly navigate this cybercrime incident.

More about Blackbaud’s Cybersecurity Practices and Next Steps Following this Incident

Over the last five years, we have built a substantial cybersecurity practice with a dedicated team of professionals. Independent reviewers have evaluated our program and determined that it exceeds benchmarks for both the financial and technology sectors. We follow industry-standard best practices, conduct ongoing risk assessments, aggressively test the security of our solutions, and continually assess our infrastructure. We are also a member of various Cyber Security thought leadership organizations, including: The Cloud Security Alliance and Financial Services Information Sharing and Analysis Center (FS-ISAC), where we team up with other experts to share best practices and tactical threat information for the Cyber Security community. We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again. You can review more details on our security, risk, compliance and privacy programs here.