Cyber Incident Victim: Shady Hill School
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud, a service provider used by Shady Hill School and other institutions, resulted in data exfiltration involving unencrypted sensitive information despite initial claims to the contrary. The school’s investigation revealed that certain fields containing donor details—including names, addresses, phone numbers, Social Security numbers, and financial data like bank account information—were left unsecured due to an encryption oversight by Blackbaud. This discrepancy contradicted Blackbaud’s assurances that encrypted fields protected such data, prompting multiple affected organizations to issue revised notifications about the potential exposure of personally identifiable and financial information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud data breach, discovered in May 2020, involved unauthorized access to the cloud computing provider’s systems by a ransomware group. Blackbaud initially claimed no Social Security numbers, bank account data, or credit card information had been accessed or exfiltrated, asserting that sensitive fields were encrypted. Subsequent investigations by affected organizations, including Shady Hill School, revealed inconsistencies in these assertions. Multiple entities found that Blackbaud had left certain fields unencrypted due to an oversight, enabling threat actors to potentially exfiltrate sensitive donor and customer information. For example, MacDowell confirmed that driver’s license numbers and government ID numbers were stored in unencrypted fields, contrary to Blackbaud’s standard practices. Shady Hill School and Scholarship America similarly reported that sensitive data had not been encrypted and was likely compromised. Blackbaud later revised its notification in September 2020, acknowledging that for some customers, attackers may have accessed unencrypted fields containing bank account information, Social Security numbers, usernames, and passwords.
The breach impacted numerous non-profit and educational institutions, exposing donor records containing names, addresses, phone numbers, dates of birth, philanthropic histories, and in some cases, financial details. Organizations like the Latin School of Chicago identified that uploaded forms containing Social Security Numbers were stored unencrypted, while ADRA International confirmed potential exposure of credit card and bank account information. Ball State University’s investigation contradicted Blackbaud’s claims, revealing that files with Social Security Numbers might have been accessed despite the university’s policy against storing such data. St. Bonaventure University notified donors that bank account and routing numbers were compromised. Affected entities conducted independent forensic reviews and issued notifications between August and September 2020, with some offering credit monitoring services. Blackbaud provided revised guidance to customers and contacted those potentially impacted by unencrypted data exposure in late September. The incident underscored discrepancies between Blackbaud’s initial assurances and the forensic realities uncovered by clients.