The Blackbaud ransomware breach — impact on school clients
In July, 2020, cloud software firm Blackbaud announced that it had been the victim of a ransomware attack that began in February of 2020 and continued until Blackbaud was able to kick the attackers out of their system in May. In order to try to protect their clients from having personal and sensitive information on donors, students, or patients publicly dumped, Blackbaud paid the threat actors an undisclosed amount of ransom in exchange for assurances that the threat actors were destroying all copies of any data that had been exfiltrated.
From July until recently, Blackbaud continued to provide its clients with information as to what kinds of data the client had stored with Blackbaud. While DataBreaches.net has been tracking reports of American Blackbaud clients whose reports involved health information of patients or donors, Marco de Felice has been compiling information on foundations, hospitals, and now, in Part 3 of his series on the Blackbaud breach, educational institutions (k-12 and post-secondary).
Marco, who used freedom of information/public records requests of entities and government agencies in multiple countries, reports that he was able to identify 419 educational institutions (universities, colleges, K-12), but that 419 was only a partial number. For those 419 entities, he had number of people affected for 172 of the entities, partial number of people affected for 87 of the entities, and no numbers for 160 of the entities. All told, he could account for 7,674,140 people.
Given that there was very little overlap between his list of entities and DataBreaches.net’s list, it seems clear that American health-related entities who used Blackbaud for donor solicitation or donor relations management stored data on many more people than educational entities using Blackbaud’s services. Specifically, while Marco reports less than 7.7 million people for more than 172 clients, DataBreaches.net tabulated 11,763,304 people for the 87 reports from American medical entities or health-related associations for which numbers had been reported.
In their desire to raise funds, are health-related entities storing too much personal and protected health information with business associates?
Marco has some suspicions about the Blackbaud incident, and readers may wish to read all three parts of his series on SuspectFile to understand what he suspects and why. You can also follow him on Twitter @amvinfe.