Blackbaud hack affects unknown numbers

Yesterday, some Blackbaud users (mainly of the Raiser’s Edge) were notified by email that their data may have been subject to a hack.

However, some Blackbaud clients have found them been less than forthcoming on who exactly was hacked, and to what degree (how many data subjects were affected and what data was hacked). As I write this, the UK website does not mention it, though it is reported on the US site.

According to Blackbaud’s report above, the hack actually took place in May, involved ransomware, and a ransom was paid (which is normally very rare for obvious reasons). According to Blackbaud, they only paid up when they had received confirmation that the copy of the data that had been removed, had been destroyed. That does seem very trusting of them, and relies on the hackers not keeping, using or selling any data they took.

If I was a UK Blackbaud client, I would also be very aware that this happened 2 months ago and Blackbaud made contact only yesterday. UK organisations have just 72 hours to notify the ICO of a data breach, if it is reportable. So when will Blackbaud provide sufficient information to enable organisations to know what action to take (reporting and informing data subjects)? And why did Blackbaud think it acceptable to wait 2 months before telling anyone?

For organisations that have Blackbaud as a processor, this would be a natural time to review your contracts, and your data breach policies and procedures. This is a core part of our Data Protection Review so contact me for more on how this could help you.