Cyber Incident Victim: Latin School of Chicago
Date:
May 2020
Location:
United States of America
Summary
The Latin School of Chicago experienced a data breach involving unauthorized access to donor and constituent information hosted by Blackbaud, a third-party service provider. Sensitive personal data, including names, contact details, Social Security Numbers, and philanthropic history, was potentially compromised due to Blackbaud's failure to encrypt certain uploaded forms containing such information. While Blackbaud initially asserted that encrypted fields like SSNs and financial data were inaccessible, the school's investigation revealed that unencrypted forms with SSNs had been stored on the platform, contradicting the provider's security claims. The incident stemmed from a broader ransomware attack against Blackbaud, where threat actors exfiltrated data before the company paid a ransom to prevent its dissemination.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud data breach, discovered in May 2020, impacted the Latin School of Chicago and numerous other non-profit organizations that used Blackbaud’s cloud-based fundraising and donor management software. A ransomware group infiltrated Blackbaud’s systems, exfiltrating data before deploying ransomware. Blackbaud paid the ransom after receiving assurances the stolen data was destroyed, though the full scope of compromised information remained unclear initially. On August 12, 2020, the Latin School of Chicago notified affected individuals that personal information—including names, addresses, telephone numbers, Social Security Numbers (SSNs), and philanthropic giving history—may have been accessed. The school clarified that while Blackbaud typically encrypted sensitive fields, an oversight left uploaded forms containing SSNs unencrypted. This contradicted Blackbaud’s early claims that no SSNs, bank accounts, or credit card data were accessed. Similar inconsistencies emerged across other organizations: MacDowell reported exfiltrated driver’s license and government ID numbers due to unencrypted fields, while Shady Hill School and Scholarship America confirmed sensitive data was stored without encryption.
Blackbaud issued updated statements on September 29, 2020, acknowledging that for some customers, attackers potentially accessed unencrypted fields containing bank account information, SSNs, usernames, or passwords, though they maintained credit card data was unaffected. Multiple entities, including ADRA International and St. Bonaventure University, independently confirmed financial data exposure. Ball State University’s investigation revealed a paradox: though they asserted they did not store SSNs in their system, attackers may have accessed files containing SSNs or Tax ID numbers. The Perez Art Museum Miami (PAMM) initially considered offering credit monitoring after learning of potential bank account and credit card exposure on August 26 but opted against it based on Blackbaud’s revised assurances. Affected organizations conducted independent analyses, with Latin School and others notifying constituents while Blackbaud provided supplemental support to specific customers identified in late September. The breach underscored systemic encryption gaps in Blackbaud’s handling of uploaded documents, leading to widespread exposure of donor and constituent data across its client base.