Cyber Incident Victim: Perez Art Museum of Miami
Date:
Sep 2020
Location:
United States of America
Summary
The Perez Art Museum of Miami experienced a data breach involving its cloud service provider, Blackbaud, stemming from a ransomware attack that compromised donor information. Attackers potentially accessed unencrypted fields containing sensitive financial data such as credit card and bank account details, despite Blackbaud's initial assurances that such information was encrypted and not exfiltrated. The museum became aware of the exposure weeks after the incident and relied on Blackbaud's subsequent statement denying credit card data access, opting against offering credit monitoring services. Multiple other organizations contradicted Blackbaud's claims, reporting that unencrypted files containing Social Security numbers, bank details, and government IDs were indeed accessed due to encryption oversights in uploaded forms and specific data fields.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Perez Art Museum of Miami (PAMM) disclosed a data breach on September 5, 2020, stemming from a ransomware attack on Blackbaud, its cloud service provider. PAMM learned on August 26 that the incident, which occurred earlier in 2020, potentially exposed donor and customer credit card and bank account information stored in Blackbaud’s systems. Over the preceding month, PAMM collaborated with Blackbaud and external cybersecurity professionals to investigate the scope of compromised data. Blackbaud’s initial public statements claimed no sensitive data—including Social Security numbers, bank account details, or credit card information—had been accessed or exfiltrated by attackers. However, Blackbaud revised its assessment on September 29, acknowledging that unencrypted fields containing bank account information, Social Security numbers, usernames, and passwords might have been accessed for some customers. Despite this update, Blackbaud maintained its original assertion that credit cardholder data was not compromised. PAMM relied on Blackbaud’s assurances and opted not to offer credit monitoring services to affected individuals, a decision that drew scrutiny given conflicting reports from other Blackbaud clients.
Multiple organizations contradicted Blackbaud’s claims through independent investigations. ADRA International confirmed on September 29 that supporter data exposed in the breach potentially included credit card and bank account information. The Latin School of Chicago discovered on August 12 that unencrypted uploaded forms containing Social Security numbers resided in Blackbaud’s systems, contrary to Blackbaud’s encryption assurances. Ball State University’s September 18 notification revealed that attackers might have accessed files with Social Security numbers despite the university’s policy of not storing such data in Blackbaud. St. Bonaventure University similarly confirmed on September 14 that donor bank account and routing numbers were potentially compromised. These discrepancies highlighted systemic inconsistencies in Blackbaud’s data handling practices, particularly regarding encryption of uploaded documents and sensitive fields. PAMM’s incident underscored operational reliance on third-party vendor disclosures, with the museum’s response directly shaped by Blackbaud’s evolving—and at times contradictory—statements about data exposure risks.