Getty Images/Tetra images RF

Blackbaud Confirms Hackers Stole Some SSNs, as Lawsuits Increase

An SEC filing reveals hackers gained access to more unencrypted data than previously thought. Some of the millions of breach victims have filed lawsuits against the vendor in response.

The ransomware hackers behind the massive Blackbaud ransomware attack and subsequent data breach likely had access to more unencrypted data than previously disclosed, including bank account information, Social Security numbers, usernames and or passwords, according to a recent Securities and Exchange Commission filing. 

In addition, several of the millions of breach victims have filed lawsuits against the vendor. 

Blackbaud is a cloud computing vendor for nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents. Beginning in mid-August, the vendor began notifying some of its clients that it had fallen victim to a ransomware attack, and the hackers exfiltrated data prior to launching the malicious payload. 

The hack on its self-hosted environment lasted from February 7, until it was discovered by Blackbaud on May 20. During that time, the threat actors stole sensitive data from donors, potential donors, patients, community members with relationships with the entity, and other individuals tied to the impacted organizations. 

The breached data varied by entity: for Northern Light Foundation in Maine, the affected data included names, contact details, and birthdates of 657,692 individuals. Other impacted entities included the Children’s Hospital of Pittsburgh Foundation, Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000 total individuals, of which 179,189 are patients), Main Line Health (60,595), Spectrum Health (52,711), and Northwestern Memorial HealthCare (55,983). 

The largest client affected by the Blackbaud breach is Inova Health System in Virginia with 1 million individuals included in the tally. In recent weeks, other organizations have been added to the tally: Enloe Medical Center, Roper St. Francis Healthcare, NorthShore University Health System in Illinois, Harvard University, University of Kentucky HealthCare, the Guthrie Clinic, and Atrium Health, just to name a few the reported 25,000 impacted clients. 

So far, more than 6 million individuals have been added to the breach tally. 

Blackbaud paid the ransom demand “with confirmation that the copy they removed had been destroyed.” And at the time of the initial reports, the vendor stressed that banking information, SSNs, and other more sensitive data was not included in the breached servers – but that may not be the case. 

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields... In most cases, fields intended for sensitive information were encrypted and not accessible,” according to the SEC filing. 

At the moment, it’s unclear which hacking group was behind the attack but many groups have taken to the double extortion technique made popular by Maze hackers, including NetWalkerREvil, Sodinokibi, Pysa or Mespinosa, and Suncrypt, among others

These attacks can lead to a host of issues, including identity theft and fraud, as well as later attacks on these individual victims. 

In response, at least 10 separate class-actions lawsuits have been filed against Blackbaud, including in the US District Court of South Carolina in Charleston, US District Court Western District of Washington, and the California Central District Court.

The victims alleged Blackbaud was negligent and breached its contract and that individuals are now at a heightened risk of identity theft and fraud. Another lawsuit argues that Blackbaud demonstrated an “unreasonable lack of oversight and lax security measures.” 

Blackbaud is also accused of failing to timely notify breach victims of the incident and its impact, as well as "failing to properly monitor the computer network and systems that housed the private Information; failing to implement appropriate policies; and failing to properly train employees regarding cyberattacks.”  

“Had Defendants properly monitored their networks, security, and communications, they would have prevented the data breach or would have discovered it sooner,” according to the lawsuit filed in the District of Washington. 

The lawsuits seek to “recover damages, restitution, and injunctive relief” on behalf of breach victims, which claim were a direct result of Blackbaud’s “unreasonable and deficient data security practices.” 

A lawyer representing the individual who filed the lawsuit in the Washington district court has filed a motion to consolidate these lawsuits into one. 

Meanwhile, Michigan Attorney General Dana Nessel has urged residents to watch out for fraudulent emails or phone calls seeking personal information or suspicious donation requests, in light of the Blackbaud breach reports. 

“Personal information with this level of detail, in the hands of fraudsters, is particularly susceptible to spear phishing – a fraudulent email to specific targets while purporting to be a trusted sender, with the aim of convincing victims to hand over information or money or infecting devices with malware,” Nessel warned.  

“Anyone who receives a notification letter regarding the Blackbaud data breach should not dismiss the letter and should not only take the recommended steps in the notice,” she added. “Recipients, and others, should also remain vigilant for suspicious emails, texts or phone calls asking for personal information, donations or other payments.” 

Nessel released a similar notice in 2019 after third-party vendor Wolverine Solutions reported that at least 600,000 state residents were affected by a ransomware attack.

Next Steps

Dig Deeper on HIPAA compliance and regulation