Consequences of the data security failure are still just coming to light
CHARLESTON, South Carolina––How many animal charity donors’ personal information may be at risk from a four-month security breach at the fundraising, data management, and financial services firm Blackbaud?
The number may be in the tens of thousands, or even the millions, but even discovering how many animal charities are involved in the information leak, and which charities they were, is so far mostly a matter of guesswork.
Blackbaud, which at the end of 2019 claimed to have 45,000 total nonprofit and government customers in 100 nations, has so far disclosed no details about the more than three million individual identities and hundreds of organizational identities believed to have been involved in the security breach.
At least fifteen animal charities have warned donors
Only 15 animal charities, among more than 100 identified by ANIMALS 24-7 as Blackbaud clients, are known by ANIMALS 24-7 to have acknowledged involvement, and to have warned donors to watch for any possible misuse of their personal identification.
The rest may not have been involved at all, but absent public statements from charities in effect marking themselves safe, who knows?
Spot-checking with charities brought spotty responses. At that, ANIMALS 24-7 is aware that the number of animal charities known to use, or have used, Blackbaud services is likely to be just a small percentage of the actual total.
Houston SPCA was among the first to respond
Said Houston SPCA president and chief executive Patti Mercer, who was among the first charity executives to issue a cautionary statement to donors, “On July 16, 2020, Houston SPCA was informed that a Blackbaud software system had been the victim of a ransomware attack that culminated in May 2020.
“Blackbaud resolved the attack,” Mercer said, “and received assurances that the copied data was destroyed. The privacy of our donors and the integrity of our systems are of utmost concern, and we are working with Blackbaud to better understand this incident.”
HSUS also responded early
Humane Society of the United States [HSUS] president Kitty Block issued a similar statement in a printed letter distributed to an undisclosed number of past donors both to HSUS itself, and to the current and former HSUS subsidiaries Humane Society International, Doris Day Animal League, Fund for Animals, South Florida Wildlife Center, and Wildlife Land Trust.
“The data compromised due to the security breach was specific to donors who had interacted with HSUS prior to 2014,” HSUS media relations assistant Erica Heffner told ANIMALS 24-7.
“While some donor contact information was affected,” Heffner acknowledged, “fortunately, no credit or debit card information, bank account information, usernames, passwords, or Social Security numbers were compromised. We notified all donors who were impacted by the breach.
“We had already decided to move away from using Blackbaud prior to the data breach,” Heffner added, “for unrelated reasons, and will be fully disconnected from the company soon. In the interim, we are working with Blackbaud to ensure that our donor information is appropriately protected.”
Soi Dog Foundation was not involved
Only one animal charity using Blackbaud services, the Soi Dog Foundation of Phuket, Thailand, told ANIMALS 24-7 that it knew for sure that no donor information had been leaked.
“We were made aware of the breach and contacted Blackbaud immediately,” Soi Dog Foundation president John Dalley. “They advised us that Soi Dog Foundation was not involved in the security incident and no action was necessary. We have received no query from any donor regarding this.
“It is worrying,” Dalley added, “that such incidents appear to be happening more and more regularly around the globe. On the positive side, once hackers find a weakness, generally it appears that companies (and governments) take steps to improve their security.”
Soi Dog growth shows need for online service providers
The growth of Soi Dog Foundation, with the help of online service providers including Blackbaud, illustrates why such companies are convenient, and even necessary, for charities trying to accomplish economic growth while holding down investment in personnel and equipment.
Soi Dog Foundation was a small, local, all-volunteer dog rescue organization, with practically no income to speak of, when Dalley and his late wife Gillian, as recent retirees from Britain, took over the day-to-day management when the founders left Phuket several months after the Indian Ocean tsunami of December 26, 2004.
Post-tsunami, the Dalleys invested heavily in online fundraising from potential donors in Britain, the U.S., and Australia, rapidly expanding the Soi Dog Foundation program reach as more money arrived.
“Fundraising is a necessary evil”
“We are indeed still a small foundation, relatively speaking,” John Dalley mentioned, “but were advised quite recently that in terms of directly treating animals, including sterilization surgery, we now treat more animals than any organization in the world.
“We will reach 500,000 animals sterilized some time in December,” Dalley said, “and would have been there already if not for COVID-19, with 250,000 of those being in the last two years.
“Add on the thousands treated at our dog and cat hospitals, and by our community outreach teams, and that amounts to a lot of dogs and cats.”
Fundraising, Dalley said, “is a necessary evil if you want to grow. You can only do as much as the funds you raise. With 300 full time staff to pay these days,” almost all of them in hands-on animal care capacities, it is even more important.
“We have no high paid execs, though, and I remain a volunteer,” Dalley finished.
What exactly happened at Blackbaud?
Said the Blackbaud’s web site, “After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.”
As word of the Blackbaud data breach spread, Times of San Diego reporter Ken Stone wrote on July 29, 2020 that a Blackbaud spokesperson had told him, “We are not providing the names of those who were part of this incident; nor can we discuss any customer specifically. The majority of our customers were not part of this incident – but those customers which were have been notified.”
“Did not reach solutions to the public cloud”
Claimed Blackbaud, “This incident was limited to a subset of our self-hosted (or co-located) environment. No entire product line was part of this incident. This incident did not reach solutions to the public cloud environment (Microsoft Azure, Amazon Web Services), nor did it reach the majority of our self-hosted environment.”
Stone asked the San Diego and San Diego Humane Society, both Blackbaud clients, for comment. Neither organization either acknowledged or denied involvement.
A day later, on July 30, 2020, Investor commentator Phil Hill reported that the Blackbaud security breach “originated at a managed hosting (company-run data center) environment for the Raiser’s Edge and NetCommunity products that help organizations manage their fund-raising, keeping track of donors and amounts they have contributed over time. Two months later, on July 16, Blackbaud finally notified customers of the breach.”
Blackbaud paid ransom
According to the initial Blackbaud statement to potentially affected clients, “In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers.
“Because protecting our customers’ data is our top priority,” Blackbaud said, “we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Hackers copied “a subset of data”
Elaborated Inside Higher Ed writer Lindsay McKenzie a day after that, on July 31, 2020, “Criminals may have accessed private information from donors to at least 16 U.S. universities as part of a cyberattack on cloud computing company Blackbaud.”
The list of universities affected had expanded to ten times that many by mid-September 2020. At least 20 major health care providers also turned out to have been affected, and countless other nonprofit organizations across the spectrum of organization focuses.
“Hackers were unsuccessful in blocking access to Blackbaud files,” McKenzie acknowledged, “but did make a copy of a subset of data. Blackbaud paid a ransom to the criminals to destroy this information––a move that is not encouraged by many law enforcement agencies, as ransom payments are thought to encourage further attacks.”
Breach began in February; discovered in May
The most detailed account to date of the Blackbaud security breach emerged from Paul Clolery of The Nonprofit Times on August 6, 2020.
“The first time anyone at Blackbaud knew there was a problem was May 14,” Clolery wrote, “when there was a suspicious log-in on an internal server. [Blackbaud] officials said the entrance was through a data center server and did not get to its cloud operations.”
Explained one of Clolery’s unnamed sources, “The attack was sophisticated enough that it initially looked like legitimate customer activity. When it escalated, the attack evaded our endpoint detection, intrusion prevention, and monitoring processes. It was eventually tracked back to February 7, 2020.”
Breach fixed by June 3
Added Clolery’s source, “As the criminal began expanding into our systems, our cyber security team, together with independent forensics experts and law enforcement, successfully prevented the cybercriminal from blocking our system access and fully encrypting files.”
Wrote Clolery, “All traces of the cybercriminal and their attempt to regain access ceased by June 3, 2020, according to a timeline provided by a Blackbaud official. That’s when assessing the extent of the damage to the system and to data became more of the focus.
“The cybercriminal continued to contact Blackbaud with the Bitcoin ransom demand,” Clolery said, “and provided on June 18, 2020 what was purported to be a statement of involved files. A third-party forensic assessor provided an official report to Blackbaud on June 25, 2020. That’s when a detailed analysis was begun to correlate the forensic data with customer and product lists to determine and re-confirm all instances of any customer being part of the incident and which product was used by the client.
“Pinky promise from a bad faith actor”
“Between July 9 and July 16, our teams were working around the clock to prepare contact data, author customized, scenario specific communications for each customer that was part of the incident,” Clolery said he was told by a Blackbaud official.
According to Clolery, “Blackbaud is working with the Columbia, South Carolina, office of the FBI,” but neither the FBI nor local police departments offered further information about the case.
Said Brett Callow, identified by Clolery as a threat analyst with cybersecurity firm EMSISOFT, “Reality is that companies in this position,” who pay ransoms to regain control of data, “are paying for nothing more than a pinky promise from a bad faith actor.
“Whether ransomware groups do actually destroy the stolen data, upon the ransom demand being paid is something only they know,” Callow added. “I suspect, however, that they do not. Why would a criminal enterprise destroy data that it may be able to use or further monetize?”
More than a million Inova customers affected
Ruth McCambridge on September 8, 2020 considered that question for Nonprofit Quarterly.
A Blackbaud client told McCambridge that, “The company and law enforcement officials have gone looking for some of the data that was stolen and have been unable to find it on illicit websites where such information would normally be sold.”
“That’s why,” the client said, Blackbaud officials “believe that the hackers did, in fact, destroy the data after the ransom was paid.”
“Officials said they paid the ransom ‘with confirmation that the copy they removed had been destroyed,’” reported HealthITSecurity writer Jessica Davis on September 14, 2020.
But Davis also revealed that in the preceding week alone, “Inova Health System reported more than one million individuals were affected by the incident, as well as several other healthcare provider organizations.”
What data did the hackers get?
Added Jessica Haworth of The Daily Swig: Cybersecurity News & Views on September 16, 2020, “The hackers apparently obtained “patient details including names, ages, addresses, medical records, dates of treatments, and medical insurance information,” but not “financial account, credit card information, and Social Security numbers.”
Santa Clara University disclosed to donors that, “Blackbaud determined that contact information, including telephone number, email address, and/or mailing address; a history of donor relationships with Santa Clara University to that point, such as donation dates and amount; and in some cases, dates of birth, may have been accessed in the ransomware attack.
“Monitoring the dark web”
“Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud does not believe any data went beyond the ransomware attack, was or will be misused, or will be disseminated or otherwise made available publicly,” the Santa Clara University statement added. “Blackbaud and third parties, including law enforcement, have been monitoring the dark web and found no instances of such data being released.”
The statements of confidence from Blackbaud and Blackbaud clients that the hijacked donor information was destroyed hint that Blackbaud may have identified the person or persons responsible for the ransomware attack, which in turn suggest that perhaps it was an “inside job,” and that Blackbaud may believe that disclosing the person’s identity might have further consequences for the company.
Why focus on malicious use?
This is of course speculation.
But also worth asking is why the Blackbaud and client statements focus on possible misuse of “names,ages, addresses, medical records, dates of treatments, and medical insurance information,” along with telephone numbers, and email addresses, by criminals on the so-called “dark web.”
Said Michael Lomonaco, chief community engagement officer for the John Ball Zoo in Grand Rapids, Michigan, to Jade Fisher of MLive.com, “What we’re telling our donors, based on what Blackbaud is telling us about their breach, is to certainly remain vigilant and keep an eye on your personal information to make sure it’s not being maliciously used.”
Malicious use, however, is far from the only potentially lucrative use of the information.
Data could also be laundered
Most of this type of information, except for medical records and dates of treatments, is freely, routinely, and openly sold by list brokers serving fundraising companies that serve nonprofit organizations, and for that matter, political organizations, candidates, and marketing firms.
The hacker or hackers who infiltrated the Blackbaud system, if able to launder stolen data through a legitimate, established list brokerage, could relatively easily sell three million names, sorted by zip code and donor history, mingled with names from other sources, for $3 million or more––and then sell those names again and again.
Even medical record and date of treatment data could be used as a filter to help sort stolen personal information into salable categories, so long as it is removed before a mailing or email list is transferred to a customer, without leaving a trace behind.
Animal charities known to be Blackbaud clients
The following 101 nonprofit organizations, listed under the headings of Animal advocacy, Animal shelters & humane societies, British animal charities, Canadian animal charities, Other foreign charities, Wildlife rescue & advocacy, Zoos, and Miscellaneous, are known to be, or to have been, users of Blackbaud products and services.
This is likely to be only a partial list––perhaps no more than a sampling.
The 15 Blackbaud client nonprofit organizations known to ANIMALS 24-7 to have issued public statements acknowledging involvement in the 2020 Blackbaud data breach case are indicated with asterisks.
Again, this is likely to be only a partial list, and perhaps only a sampling.
A plus [+] sign means that the organization has informed ANIMALS 24-7 that according to Blackbaud, it was not involved.
The absence of an asterisk or a plus sign does not mean that the organization either was or was not involved, nor that has not issued any sort of public statement or advisory to donors. Rather, the absence of an asterisk or a plus sign means only that ANIMALS 24-7 does not yet know whether the listed organization was involved, and/or has issued a statement or advisory to donors.
Asterisks, plus signs, and charity names will be added as ANIMALS 24-7 gathers further information.
* Doris Day Animal League
* Fund for Animals
* Humane Society International
* Humane Society of the United States
International Fund for Animal Welfare
Animal shelters & humane societies
Animal Humane Society (Minneapolis, MN)
Animal Welfare League of Arlington (Arlington, VA)
Atlanta Humane Society (Atlanta, GA)
Arizona Humane Society (Phoenix, AZ)
Asheville Humane Society (Asheville, NC)
Auburn Valley Humane Society (Auburn, WA)
Austin Humane Society (Austin, TX)
Bangor Humane Society (Bangor, ME)
* Charleston Animal Society (Charleston, SC)
Connecticut Humane Society (Westport, CT)
Dakin Humane Society (Springfield, MA)
Dane County Humane Society (Madison, WI)
* Denver Dumb Friends League (Denver, CO)
Greater Androscoggin Humane Society (Lewiston, ME)
Halifax Humane Society (Dayton, FL)
* Houston SPCA (Houston, TX)
Humane Society of Greater Rochester (Rochester, NY)
Humane Society of Indianapolis (Indianapolis, IN)
Humane Society of Missouri (St. Louis, MO)
Humane Society for Tacoma & Pierce County (Tacoma, WA)
Humane Society of the Silicon Valley (Milpitas, CA)
Inland Valley Humane Society & SPCA (Pomona, CA)
Kansas Humane Society (Wichita, KS)
Kentucky Humane Society (Louisville, KY)
Lexington Humane Society (Lexington, KY)
Lifeline Animal Project (Atlanta, GA)
Lollypop Farm (Fairport, NY)
Los Angeles Animal Services Animal Welfare Trust Fund
Marin County Humane Society (Novato, CA)
Maui Humane Society (Puunene, HI)
Michigan Humane Society (Detroit, MI)
Mohawk Hudson Humane Society (Menands, NY)
Nebraska Humane Society (Lincoln, NE)
North Shore Animal League (Port Washington, NY)
Peggy Adams Animal Rescue League (West Palm Beach, FL)
Pennsylvania SPCA (Philadelphia, PA)
Placer SPCA (Roseville, CA)
Progressive Animal Welfare Society (Lynnwood, WA)
Richmond SPCA (Richmond, VA)
San Diego Humane Society (San Diego, CA)
SPCA of Texas (Dallas, TX)
SPCA Tampa Bay (Tampa, FL)
Wenatchee Valley Humane Society (Wenatchee, WA)
West Suburban Humane Society (Downer’s Grove, IL)
Wisconsin Humane Society (Milwaukee, WI)
Young Friends Pet Adoption & Humane Education Center (West Palm Beach, FL)
Wildlife rescue & advocacy
* American Wildlife Foundation
Marine Mammal Center
Save the Chimps
Save the Manatees
* South Florida Wildlife Center
Wild Animal Sanctuary
Cheyenne Mountain Zoo
Chicago Zoological Society
* Como Park Zoo (St. Paul, MN)
Greenville Zoo (Greenville, SC)
* John Ball Zoo (Grand Rapids, MI)
Louisville Zoo (Louisville, KY)
National Zoo (Washington DC)
Oregon Zoo (Portland, OR)
Pittsburgh Zoo & Aquarium
San Diego Zoo & Wildlife Park
Seneca Park Zoo (Fairport, NY)
ZooTampa at Lowry Park
British animal charities
All Dogs Matter
Border Collie Trust
* International Animal Rescue
League Against Cruel Sports
* Leicester Animal Aid
* Mayhew Home for Animals
Royal Society for the Protection of Animals
* Royal Zoological Society of Scotland (Edinburgh Zoo)
World Animal Protection
Canadian animal charities
Calgary Humane Society
Canadian Wildlife Federation
* Edmonton Humane Society
Ottawa Humane Society
Regina Humane Society
Other foreign charities
Australia Zoo Wildlife Hospital
+ Soi Dog Foundation (Phuket, Thailand)
African Wildlife Foundation
AKC Canine Health Foundation
Animal Welfare Approved
* Wildlife Land Trust
World Wildlife Fund
(These are organizations not known to be Blackbaud clients, but which have in various ways promoted Blackbaud services to the humane community.)
Association for Animal Welfare Advancement