Software firm paid off a ransomware gang, believed its hackers when they said they had destroyed the data, and has now discovered the cyber criminals accessed even more sensitive information than it thought
Cloud software supplier Blackbaud, which paid off a ransomware gang and took seriously the word of cyber criminals that they had destroyed the data, is again under fire after disclosing that the hackers accessed more information than it thought, including financially sensitive information and passwords.
The firm was attacked in May 2020 but waited nearly two months to disclose the fact. It said its team, working alongside law enforcement and independent forensics specialists, were able to prevent significant damage and expelled the attackers from its system. But before that, the ransomware gang removed a copy of a subset of data from its self-hosted environment.
Blackbaud said that “because protecting the data of our customers is our top priority” it paid off the attackers, even though industry-accepted wisdom holds that this is an exceptionally bad idea.
It claimed the cyber criminals had not accessed credit card information, bank account information, or social security numbers. However, its own investigation has now shown this to be untrue.
In a new filing with the US Securities and Exchange Commission (SEC), Blackbaud said: “After 16 July, further forensic investigation found that for some of the notified customers, the cyber criminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.
“These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted the week of 27 September 2020 and are being provided with additional support.
“We expect our security incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as possible.”
Emsisoft threat analyst Brett Callow said: “Working out what did or did not happen in the aftermath of a ransomware attack requires a forensic investigation that can take weeks to complete. To my mind, these incidents should be treated as data breaches from the get-go and customers and business partners immediately notified so they can take steps to minimise their risks. Better yet, paying demands should be banned so that ransomware attacks become a thing of the past.”
Callow is one of a number of security experts who advocate outright government bans on ransomware payments, pointing out in a recent blog posting that ransomware attacks only remain profitable because organisations pay up, perpetuating the cycle, so removing that possibility altogether was an obvious step in the right direction.
He compared ransomware to other “collective action problems” such as climate change, or even Covid-19, that require people to act in unison, and said that, seen in that light, legal bans could be just what is needed in the fight against it.
The Blackbaud data breach affected myriad customers in the education and charity sectors, who use its software to keep track of alumni and donors.
In the UK, these include the universities of Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London. Multiple Oxbridge colleges and several private schools have also been implicated.
The list of non-profit victims includes Action on Addiction, Breast Cancer Now, the Choir with No Name, Maccabi GB, the National Trust, Sue Ryder, the Urology Foundation and the Wallich. Data on people who made donations to the Labour Party was also taken.
Matt Lock, UK technical director at Varonis, said it was easy to draw a direct line between the Blackbaud attack and a spate of subsequent cyber attacks on academic institutions in the UK that has prompted the National Cyber Security Centre (NCSC) to step up its support for the sector.
“Universities are a prime target for cyber criminals, as they hold detailed information on their students, faculty and research in networks that are all too often outdated and under-protected,” he said.
“Ransomware’s double-jeopardy factor is an effective attack vector for cyber criminals in this situation. It exfiltrates valuable original research data and IP for later sale on the dark web while locking the authors out of files that could potentially contain hundreds of hours of irreplaceable work.
“Amid all the changes forced upon universities this year by the pandemic is a big shift to, in some cases, entirely virtual learning. With this transition comes a huge amount of new attack surface for cyber criminals to take advantage of, and there has already been a spike in attacks on educational institutions, as the NCSC warned earlier this month.
“With so many of the staff and student accessing the university network remotely, there are a huge number of new and potentially unsecured devices connecting to the network.”
Lock added: “It is vital not only to build cyber security awareness in new students and faculty, but also to maintain that awareness for those already on the network, to ensure that these devices don’t pose a risk to the university.”