Cyber Incident Victim: Ball State University
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud, a cloud software provider, compromised Ball State University's donor data. While Blackbaud initially asserted that encrypted sensitive information like Social Security numbers and bank details remained secure, the university's independent investigation revealed potential exposure of Social Security/Tax ID numbers despite its policy against storing such data in the system. The incident highlighted inconsistencies in Blackbaud's breach disclosures, as multiple affected organizations, including the university, identified unencrypted fields containing donor information—such as names, addresses, philanthropic history, and government IDs—that were accessed and exfiltrated by attackers. Blackbaud later acknowledged that unencrypted bank account data, usernames, and passwords might have been compromised for some clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud data breach, discovered in May 2020, impacted Ball State University’s Foundation among numerous non-profit organizations globally. Ball State issued a notification on September 18, 2020, stating that while Blackbaud’s investigation found no encrypted information—such as Social Security numbers, bank account details, or passwords—had been obtained by attackers, the university’s independent analysis contradicted this assertion. Ball State confirmed its standard practice of not storing credit card information or Social Security numbers in its systems but acknowledged cybercriminals might have accessed files containing Social Security Numbers or Tax ID Numbers. This discrepancy highlighted inconsistencies between Blackbaud’s initial claims and findings from affected organizations. Blackbaud had originally asserted that sensitive fields were encrypted and inaccessible, but multiple entities discovered unencrypted data exposures during their investigations.
The broader incident involved ransomware actors exfiltrating data from Blackbaud’s cloud-based customer relationship management systems. Ball State’s exposure occurred through files uploaded to Blackbaud’s platform, mirroring issues reported by other institutions like the Latin School of Chicago, which found unencrypted forms containing Social Security Numbers. Organizations including MacDowell, ADRA International, and St. Bonaventure University confirmed threat actors accessed donor information such as names, addresses, philanthropic histories, bank account numbers, and government IDs. Blackbaud revised its stance in late September 2020, admitting unencrypted fields storing bank details or Social Security Numbers might have been compromised for some customers. Ball State and others relied on Blackbaud’s forensic reports while conducting parallel investigations, leading to staggered notifications between August and September 2020. The breach prompted institutions to review data storage practices and notify affected donors, though responses varied—Perez Art Museum Miami opted against credit monitoring based on Blackbaud’s assurances, while others emphasized potential financial and identity theft risks.