Leading cloud software provider Blackbaud has received 23 lawsuits over its ransomware attack in May 2020. Blackbaud operates in countries around the world, including the United States, the United Kingdom, Australia and Canada.
The ransomware attack was unveiled by the company on July 16, 2020. The organizations affected by the ransomware attack on Blackbaud are many - charities, non-profit institutions and universities from the US, Canada, the United Kingdom and the Netherlands.
The company said it managed to prevent attackers from fully encrypting its systems, but not before stealing a "copy of a subset of data" from a self-hosted environment.
Blackbaud paid the ransom demanded by the attackers after confirming that the stolen data had been destroyed.
Blackbaud informed us today that it is charged with 23 lawsuits that are connected ransomware attack in May and included in the quarterly report of the year 2020 submitted to the Hellenic Capital Market Commission USA (SEC).
Let us now look at what brought the victims to the point of suing Blackbaud.
In late September, late on, Blackbaud was "forced" to modify a press release previously posted on its website, acknowledging, in fact, that the data stolen during the ransomware attack could also be related to bank account information. social security numbers, usernames and / or passwords and driving licenses.
As in the case of The MacDowell Colony Inc., for example. of Peterborough in New Hampshire, which, on August 21 (more than a month earlier than Blackbaud), was forced to notify the Attorney General's Office of the security breach. The stolen data included social security numbers, government identification numbers and, of course, driver's license numbers.
MacDowell, on its own initiative, offered a free two-year subscription to Experian IdentityWorksSM. It is an identity and verification service that includes: bank credit monitoring, bank credit reports, customer support for fraud, identity theft insurance and much more. But also ExtendCare, a support in solving scams. This is something that Blackbaud did not do for any of the individuals involved in the theft of their data.
It is data breach that has affected non-profit institutions, universities, K12, cultural associations, but also hospitals and universities associated with various countries around the world except the USA, such as Canada, Australia, New Zealand, Hungary. and the United Kingdom.
Hospitals and universities
To date, more than 170 hospitals have been confirmed to be affected by data theft in Blackbaud, with more than 10 million people, patients and staff affected. The following data were stolen from patients:
- Name and surname
- Date of birth
- Email address and password
- Phone number
- Social Security number
- Banking data
- Date of health care
- Names of the departments of the hospital service
- Therapist and treating physician
- Medical registration number
There are two hospital structures most affected: Trinity Health (3.320.726) and Inova Health (1.045.270). Only these two structures, reach almost half of the total number of cases that have been found so far to be affected (4.365.996 people were affected).
Most surprisingly, at almost any hospital or university affiliated with them, the backup time of Blackbaud databases far exceeds a reasonable maximum of 1 or 2 years.
In the case of the 92 facilities in 22 US states that are part of the entire Trinity Healt hospital system, the databases contained information that was 20 years old (2000-2020). Trinity itself states this in a press release published both on the "parent website" and on the pages of some hospitals associated with it.
In many others, on the other hand, there are very brief press releases with few details about the cyber incident, while in others there is no note mentioning Blackbaud data breach. In this way, to anyone, especially patients and them employees, was not given a chance to understand if the hospital reference has been affected by their theft personal data.
What is missing from a large number of hospitals / medical universities / institutes involved in data breaches is the proper information of patients and staff.
The lack of communication is the biggest mistake Blackbaud made, both because it was unable to preserve the interests its customers, as well as to manage the attackers in an unprofessional manner, then pay them, without being absolutely certain that the thousands of sensitive data were not used equally by the Ransomware (Maze?) group or other hacking groups, as we believe it happened.
Source of information: www.suspectfile.com