Cyber Incident Victim: Providence Children's Museum
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeting software provider Blackbaud compromised backup files containing personal information from the Providence Children's Museum and another Rhode Island organization. The museum confirmed no credit card, banking, or social security data was stored in the affected system, but generic personal information in the stolen backups may have been exposed. Blackbaud stated the attacker likely did not access or misuse the data beyond the initial extraction, based on their investigation and law enforcement collaboration. The breach occurred over several months before detection, with notifications issued following the provider's discovery of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware incident affecting Providence Children's Museum originated through a third-party software service provider, Blackbaud, which experienced unauthorized system access between February 7 and May 20, 2020. Attackers deployed ransomware and exfiltrated backup files containing personal information from Blackbaud's systems before being locked out. The museum was notified of the breach by Blackbaud on July 16, 2020—nearly five months after the initial intrusion—indicating delayed detection. Compromised data potentially included generic personal information stored in Blackbaud's fundraising and engagement platforms, though the museum confirmed no credit card details, banking information, or Social Security numbers were stored in these systems. Rhode Island College Foundation, another Blackbaud customer, similarly reported theft of a backup file containing personal data. Blackbaud asserted to both organizations that forensic investigations found no evidence the stolen data was disseminated beyond the attacker or misused.
The breach exposed non-sensitive constituent information but prompted formal notifications to museum stakeholders about potential data exposure. Both organizations emphasized Blackbaud's assurances regarding the containment of stolen data and the absence of financial or highly sensitive records in compromised systems. No operational disruptions or ransomware payments by the museum were disclosed. Third-party investigators, including law enforcement, participated in assessing the incident's scope. Blackbaud implemented undisclosed remediation measures following the attack, though specific technical containment steps taken by the vendor remained unspecified in public communications. The museum's disclosure focused on transparency regarding the third-party incident while underscoring the limitations of data exposure within their own records.