Cyber Incident Victim: Cleveland Museum of Natural History
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack targeted a third-party contractor providing services to the Cleveland Museum of Natural History, with the contractor successfully disrupting the intrusion before full system encryption occurred. The attacker exfiltrated some data, prompting the contractor to pay the ransom in exchange for assurances the stolen information was destroyed; no evidence suggests the data was further disseminated or misused. While the museum was indirectly impacted, it confirmed no sensitive personal information—such as Social Security or credit card details—was compromised. The institution notified stakeholders about the incident and advised vigilance against suspicious activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, Blackbaud—a third-party contractor providing data intelligence, cloud software, and security services to the Cleveland Museum of Natural History—detected a ransomware attack targeting its systems. Blackbaud’s cybersecurity team, assisted by independent forensics experts and law enforcement, intervened during the attack, preventing the threat actor from fully encrypting files or blocking system access. The museum was indirectly affected, as Blackbaud served as its service provider, but no direct compromise of the museum’s infrastructure occurred. Blackbaud confirmed the attacker exfiltrated some data before being expelled from its systems. The company paid the undisclosed ransom demanded by the hacker and asserted it obtained confirmation that the stolen data had been destroyed. Blackbaud and the museum stated their investigations, supported by law enforcement, found no evidence that exfiltrated data was disseminated, misused, or remained accessible to the attacker.
The Cleveland Museum of Natural History learned of the incident through Blackbaud and subsequently notified employees, customers, and visitors about the breach. Museum representatives, including Chief Strategy Officer Meenakshi Sharma and marketing staffer Rachel Rieger, emphasized no museum data—including Social Security numbers, credit card details, or other personal information—was accessed or stolen. The museum directed constituents to report suspicious activity to its [email protected] email, Blackbaud, or law enforcement but did not disclose specific operational impacts. Blackbaud’s role as a provider of cloud-based services for "social good" organizations highlighted the supply-chain nature of the attack, though the initial intrusion vector into Blackbaud’s network remained unidentified. The museum’s public statements reiterated confidence in Blackbaud’s containment and remediation efforts, aligning with Blackbaud’s claim that data integrity was preserved post-ransom payment.