Cyber Incident Victim: MacDowell
Date:
Oct 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud, a service provider, compromised MacDowell's donor data, including driver's license and government ID numbers. Blackbaud initially asserted no sensitive information was accessed but later acknowledged unencrypted fields containing such data were exfiltrated due to an oversight, which the organization discovered only after the incident. Multiple other entities, including educational institutions and nonprofits, independently confirmed inconsistencies in Blackbaud's claims, identifying exposed unencrypted data such as Social Security numbers, bank account details, and philanthropic histories despite assurances that encrypted fields remained secure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud ransomware incident, discovered in May 2020, involved unauthorized access to the cloud-based customer relationship management (CRM) platform used by numerous non-profit and educational institutions. Threat actors exfiltrated data before deploying ransomware, with Blackbaud paying a ransom to prevent public release of stolen information. Initial Blackbaud notifications in mid-2020 claimed no sensitive data like Social Security numbers, bank account details, or credit card information had been compromised, asserting such fields were encrypted. Subsequent investigations by affected organizations revealed inconsistencies in these claims. MacDowell, an arts non-profit, disclosed that Blackbaud's security oversight left certain fields containing driver's license numbers and government identification numbers unencrypted, contrary to standard encryption practices for sensitive data. MacDowell only became aware of this vulnerability after the breach occurred, indicating gaps in Blackbaud's transparency and security protocols.
Multiple organizations confirmed similar discrepancies through independent forensic reviews. The Latin School of Chicago found Blackbaud did not encrypt uploaded forms containing Social Security numbers, while ADRA International reported potential exposure of credit card and bank account information. Ball State University's investigation contradicted Blackbaud's assurances, determining attackers potentially accessed files with Social Security Numbers despite the institution's policy against storing such data in the system. By late September 2020, Blackbaud revised its stance, acknowledging threat actors might have accessed unencrypted fields containing bank account information, Social Security numbers, usernames, and passwords for some customers. Impacted entities like St. Bonaventure University notified donors about potential exposure of banking details, while others like Perez Art Museum Miami opted against offering credit monitoring based on Blackbaud's evolving statements. The incident eroded trust in third-party vendor security assurances, necessitating independent verification by affected organizations to assess actual data exposure risks.