Cyber Incident Victim: St. Bonaventure University
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud, a cloud service provider, compromised donor data from St. Bonaventure University and other nonprofit entities. The breach involved exfiltration of unencrypted sensitive information, including names, bank account numbers, and routing numbers, despite initial claims by the vendor that encrypted fields like financial data remained secure. Subsequent investigations by multiple affected organizations revealed inconsistencies in Blackbaud's disclosures, with some confirming exposure of Social Security numbers, government IDs, and philanthropic history due to unencrypted uploads or system oversights. The university confirmed potential access to donor banking details through its independent analysis following the vendor's delayed transparency about the incident's scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Blackbaud data breach, discovered in May 2020, impacted numerous nonprofit and educational institutions, including St. Bonaventure University. A ransomware group infiltrated Blackbaud’s systems, exfiltrating data before deploying ransomware. Blackbaud initially asserted in July 2020 that no sensitive information—including Social Security numbers, bank account details, or credit card data—had been compromised, claiming such fields were encrypted. Subsequent investigations by affected organizations contradicted these assurances. On September 14, 2020, St. Bonaventure University notified donors that their names, bank account numbers, and routing numbers were potentially accessed. The university’s analysis revealed Blackbaud had left certain fields unencrypted due to an oversight, allowing threat actors to extract data typically expected to be protected. This mirrored findings by other entities like MacDowell and the Latin School of Chicago, which identified unencrypted government IDs, Social Security numbers, and financial details in uploaded forms or database fields.
Blackbaud revised its stance in late September 2020, acknowledging that unencrypted bank account information, Social Security numbers, usernames, and passwords might have been accessed for a subset of customers. St. Bonaventure’s notification aligned with this broader pattern of inconsistencies between Blackbaud’s initial reports and institutional audits. The breach’s scope extended beyond St. Bonaventure, affecting organizations like ADRA International, which confirmed exposure of credit card and bank data, and Ball State University, where files containing Social Security numbers were potentially compromised despite claims of non-retention. Perez Art Museum Miami (PAMM) opted against offering credit monitoring based on Blackbaud’s denial of credit card exposure, though doubts persisted. St. Bonaventure did not disclose specific response measures beyond notifying donors, while other institutions like Scholarship America and Shady Hill School reinforced the systemic nature of Blackbaud’s encryption failures. The incident underscored operational risks for entities reliant on third-party data management platforms, with St. Bonaventure’s donor financial information among the confirmed impacts.