Cyber Incident Victim: Holden Forests and Gardens
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeting cloud software provider Blackbaud impacted multiple Ohio-based organizations, including Holden Forests and Gardens. The breach potentially exposed donor and visitor information such as names, contact details, transaction histories, and relationship records, though financial data and social security numbers were reportedly unaffected. Blackbaud paid the ransom after the attacker exfiltrated a data copy, claiming the stolen information was subsequently destroyed. Affected institutions notified constituents months after the incident, advising vigilance against suspicious activity while emphasizing that core systems like payment processing remained uncompromised. The incident prompted some organizations to reevaluate third-party vendor relationships.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack targeting Blackbaud, a global cloud software provider serving nonprofit and educational institutions, occurred in February 2020. Blackbaud detected the intrusion in May 2020 and engaged independent forensic experts and law enforcement to expel the attacker from its systems. Before removal, the attacker exfiltrated a copy of data from Blackbaud's environment. The company paid a ransom demand to the threat actor and received assurances the stolen data was destroyed. Blackbaud stated no credit card details, bank account information, or Social Security numbers were compromised during the incident. Multiple Ohio-based clients of Blackbaud, including Holden Forests and Gardens, were notified of the breach in July 2020, approximately two months after Blackbaud's internal detection. Holden Forests and Gardens disclosed that attacker access potentially exposed member and guest information including first and last names, email addresses, mailing addresses, phone numbers, and transaction histories. The organization advised affected individuals to monitor financial accounts for unauthorized activity and consider obtaining free credit reports, though it did not report direct evidence of financial fraud stemming from the breach.
Other regional institutions relying on Blackbaud services experienced varying impacts. The Cleveland Museum of Natural History utilized Blackbaud’s software and servers for its point-of-sale system, handling ticketing, guest check-ins, and communications. The Cuyahoga Community College Foundation confirmed exposed data included contact details, demographic information, and donation histories. Kent State University’s Division of Institutional Advancement, which managed alumni relations and philanthropy through Blackbaud’s ResearchPoint platform for 12 years, reported similar data exposure risks. Kent State notified constituents on August 3, 2020, advising vigilance against identity theft and suspicious donation solicitations. University representatives expressed frustration over Blackbaud’s delayed notification, which hindered their ability to promptly alert affected individuals. Constituents raised concerns about potential bank information compromise and requested removal from marketing lists, though Kent State clarified financial records and academic transcripts remained secure. The breach prompted institutional reviews of third-party vendor relationships, with Kent State exploring alternative service providers while continuing to manage existing data within Blackbaud’s systems.