Fundraising technology provider giant blackbaud pays ransom for hack - michael towner

Fundraising technology provider Blackbaud was hacked in a ransomware attack in May. The firm has admitted it paid a ransom to encourage the cybercriminals to destroy the copy of the stolen data. NTEN (Non-Profit Technology Enterprise Network) President Amy Sample Ward says this hack should be a wakeup call: "If this doesn't increase your attention and investment in staff training, password management, and security, I don't know what will," she writes on Twitter. Portland based NTEN “aspires to a world where all nonprofit organizations use technology skillfully and confidently to meet community needs and fulfill their missions.”  
Blackbaud has been criticized for not disclosing this externally until July and for having paid the hackers an undisclosed ransom. Doing so is not illegal, but it goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol. "My main concern is how reassuring - impossibly so, in my opinion - Blackbaud were to the university about what the hackers have obtained," commented Rhys Morgan, a cyber-security specialist and former student at Reading University, whose data was involved. "They told my university that there is 'no reason to believe that the stolen data was or will be misused'”. Blackbaud has said it is working with law enforcement and third-party investigators to monitor whether or not the data is being circulated or sold on the dark web, for example. “I can't feel reassured by this at all. How can they possibly know what the attackers will do with that information?" Morgan said.

---

​Blackbaud added that it had been given "confirmation that the copy [of data] they removed had been destroyed". The BBC has reported that at least eight universities in the UK and Canada have had data stolen about students and/or alumni and Human Rights Watch and the children's mental health charity, Young Minds, have also confirmed they were affected. In some cases, the stolen data included phone numbers, donation history and events attended.
Under the EU General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident - or face potential fines. The UK's Information Commissioner's Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend - weeks after Blackbaud discovered the hack.
An ICO spokeswoman said: "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making enquiries to both Blackbaud and the respective controllers and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually." 

---

Blackbaud’s Sales during the first three months of the year totaled $223.6 million, up nearly 4 percent from the same period in 2019, according to results the firm reported last week. The Daniel Island, South Carolina-based technology company also swung to a profit for the quarter, earning $4.6 million compared to a $1.1 million loss a year earlier.
​Blackbaud​ sells recurring subscriptions to its software products to charities, colleges, churches, grade schools and other nonprofits. That philanthropy industry has struggled during the pandemic, as discretionary incomes and donations have cratered. But the turbulence could create an opportunity for Blackbaud. Among other things, its tech platform supports virtual events and meetings. CEO Mike Gianoni told investors during a conference call on Wednesday the company “hasn’t missed a beat operationally,” stating that it’s platform has helped schools, among others, move to the web during the lockdown. 
He said the pandemic could push more organizations to realize they need to adopt cloud software. Obviously not at all phased by the hack.

---