Blackbaud Security Incident – what to consider

 

Blackbaud has informed its clients of a security incident.

Protecture’s initial thoughts are:

  1. Blackbaud has taken the incident seriously, and have taken significant measures in response.
  2. They have some assurance (albeit it might not be worth much) from the hacker that they have deleted the data they stole.
  3. They are saying they have no evidence that the data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.
  4. They also have no evidence that it hasn’t been misused…
  5. They are using a company to monitor the dark web as an extra precautionary measure.
  6. Financial data was not subject to the incident.

The questions to consider now:

  1. The key question for both whether to report to the ICO and/or the individuals affect is the actual or potential harm to people.
  2. In this case, where a major supplier has a breach, the reporting to the ICO almost becomes less significant as they will be aware of the breach by Blackbaud, and aware all its clients will have been affected in some way.
  3. The important thing to consider is, therefore, the potential harm to people given the nature and scope of the personal data, the context (who you are as an organisation) and purposes for which you used the CRM.
    1. Can you establish what data would, therefore, have been on the backup subject to the incident…and does this contain anything sensitive?
    2. Protecture clients could consider using our Breach Log, which has an Assessment tool where you can ask yourself questions about the breach and “score” the impact.
    3. And in Covid19 times, where online scams are more likely, and cybercriminals will use any data to improve (personalise) their phishing emails, it might mean there is an increased need and expectation to inform people (even if the risk is low) so they have the knowledge to at least lookout for anything unusual.
    4. This is what happened with Easyjet – see our article here: https://protecture.org.uk/delayed-flight-easyjet-and-when-to-report-a-breach/

We would also advise that you:

  1. Review your contract with Blackbaud to understand the position on liability and consider whether or not this is reportable to your insurers or any of your regulators (for example, the Charity Commission).
  1. Check your internal governance procedures to understand if this is a matter that needs to be reported to senior management (e.g. your Board of Trustees).