BSA Member, Donor, Alumni Data Impacted by Blackbaud Data Security Incident

[CynicalScouter]

View Online   Dear Scouting family, I am writing to inform you of a data security incident involving Blackbaud, one of the Boy Scouts of America’s third-party service providers, and one of the world’s largest providers of customer relationship management software. We were notified on July 16 by Blackbaud officials that their system had been the target of a ransomware attack, and we are reaching out to share the information we received. Blackbaud reported that the data security incident started on February 7, 2020 and possibly continued intermittently until May 20, 2020. The BSA was one of numerous organizations that was impacted. It is important to note that Blackbaud assured us that no encrypted data such as Social Security numbers, bank account information, and credit and debit card information was accessible. We are conducting an internal investigation to confirm this assurance. If any such data is found to have been viewable, we will notify the impacted individuals directly. According to Blackbaud, the cyber-attack was successfully stopped, and the cybercriminals were expelled from its system. However, Blackbaud informed us that the cybercriminals did remove a copy of a backup file that it stored as part of its ordinary course of operations. We believe that file may have contained limited non-financial information, such as your contact information, date of birth, limited demographic data and a history of your relationship with the BSA. Blackbaud assured us that, based on the nature of the incident, their research, and law enforcement’s investigation, the stolen data has been destroyed and there is no reason to believe any data went beyond the cybercriminals, was or will be misused, or will be disseminated or otherwise made available publicly. We do not believe there is a need for you to take any action at this time. As a best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities. We value your relationship with the BSA and the faith you put in us. Please know that we take the security of your information very seriously and share your concern about this incident. Blackbaud has already implemented changes to its security controls to better protect against a potential future attack, and we are working with Blackbaud and other resources to assess the best path forward. While the BSA was not the target of this attack, nor was it the only organization affected, we are taking time to learn from this third-party incident and to review our own security practices and system configurations to better protect your information. Thank you for your continued support of Scouting. Yours in Scouting, Vijay Challa Chief Technology Officer Copyright © 2020 Boy Scouts of America. All rights reserved. Boy Scouts of America 1325 West Walnut Hill Lane  Irving, TX 75038 Update Preference  |  Unsubscribe  |  Privacy  |  Contact Us

 

 

[Scoutmaster Teddy]

After working in information technology for more than 25 years I can say I'm not surprised. I've seen the guards being lowered due to wide-spread budget concerns, lax management, and lack of oversight.

I will be monitoring my information. Just because a corporation says not to worry doesn't mean you should let your guard down.

[RememberSchiff]

Be Prepared  - aspirin bottle (regarding Blackbaud's delay in reporting and ransom paid)

On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.

Blackbaud’s handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminal’s ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.

More at

https://www.passwordprotectedlaw.com/2020/07/blackbaud-data-breach/

https://www.zdnet.com/article/university-of-york-discloses-data-breach-staff-and-student-records-stolen/

[Jameson76]

First question, why is this from the CTO (I assume of the BSA but it does not actually specify) and not our new BSA President?  Either you OWN what happens on your watch or you don't.  Guess he doesn't.  Candidly not assured (even though they told me twice to be assured).  Well, we were notified promptly 174 DAYS after the initial breach.  That is some fine detecting work there Lou.  Pretty sure all that background detail everyone sent in at the end of the year is in a SUPER SECRET file that nobody can get to 😝

Blackbaud assured us that no encrypted data such as Social Security numbers, bank account information, and credit and debit card information was accessible

I am soooo confident of that

According to Blackbaud, the cyber-attack was successfully stopped, and the cybercriminals were expelled from its system

I am soooo confident of that

However, Blackbaud informed us that the cybercriminals did remove a copy of a backup file that it stored as part of its ordinary course of operations. 

Sooo they got expelled, but basically took a copy of the database, so they sort of got what they needed??

Blackbaud assured us that, based on the nature of the incident, their research, and law enforcement’s investigation, the stolen data has been destroyed

Yeah....that's not how data works, can be copied as often as needed

 

 

Edited July 29, 2020 by Jameson76

[Jameson76]

Saw this from Save the Children

Save the Children places the highest level of regard on security and protecting our donor information. We have removed our data off Blackbaud’s servers, and will continue to prioritize security, both internally and with all of our third-party vendors. Our supporters trust us with their information, and we do not take this lightly. We have and will continue to take steps to protect supporters’ information in our combined efforts to ensure every child gets the future they deserve.

Guess I missed that part in the BSA statement on actions to take

 

[RememberSchiff]

 

@Jameson76   perhaps this further assurance from Blackbaud will reduce your skepticism

...While most in the cybersecurity community are not so trusting of hardened criminals, Blackbaud has publicly expressed their optimism that the cybercriminals destroyed the data and/or won’t misuse, disseminate or make the data publicly available:

“We have credible confirmation that the data was destroyed for two reasons: The cyber ransom business model is dependent on the cybercriminal not disclosing the information or they lose credibility and leverage. We worked with a third-party expert in communicating with the cybercriminal, and we only paid the ransom when we received credible confirmation that the data was destroyed… as a precautionary measure, we have hired outside experts to monitor the Internet, including the dark web, and they have found no evidence that any information was ever released, and we will continue to monitor,” a Blackbaud spokesperson said.

https://schneiderdowns.com/our-thoughts-on/blackbaud-breach-alert

So hrrrumph, it is quite simple actually, the criminals have their good name to protect and as a further look-good-after-our-blunder measure Blackbaud hired internet watchers to see if any stolen ( now encrypted by criminals) data appears. No worry, rest assured. And not likely a bootleg copy of a copy will be sold since the ransom paid was a staggering $350K (Bitcoin) for client data from 125 or more non-profit and educational institutions. 

Oh and good to know that the BSA was not target rather us. That is comforting.

 

IMHO, Blackeye should offer a year + 174 days of free identity and credit monitoring by a third party to all persons affected.

My $0.02, ( two Lincoln sense, no Bitcoin)

 

Edited July 30, 2020 by RememberSchiff
non-profit, source link

[Eagle94-A1]

28 minutes ago, RememberSchiff said:

And not likely a bootleg copy of a copy will be sold since the ransom paid was a staggering $350K (Bitcoin) for client data from 125 or more non-profit and educational institutions. 

350K Bitcoin  equals

$3,845,555,000.00

[David CO]

3 minutes ago, Eagle94-A1 said:

350K Bitcoin  equals

$3,845,555,000.00

or $0.00   (depending on how you look at it).  I wonder if there is any way federal officers could imbed a code into some Bitcoin to infect the cybercriminals' systems.  

[Jackdaws]

Am I the only one who immediately thought that this info was taken to aid lawsuits?   They can now broadcast the net on members and fish for information.  I am seeing BSA abuse infomercial on tv and its playing each day a couple times a day.

I think I even got a mailer one day about it and I immediately tossed it in the garbage.  

[RememberSchiff]

1 hour ago, Eagle94-A1 said:

350K Bitcoin  equals

$3,845,555,000.00

Presumably $350K (as all internet posts are true ) paid in equivalent Bitcoin.

[RememberSchiff]

Just now, Jackdaws said:

Am I the only one who immediately thought that this info was taken to aid lawsuits?   They can now broadcast the net on members and fish for information.  I am seeing BSA abuse infomercial on tv and its playing each day a couple times a day.

I think I even got a mailer one day about it and I immediately tossed it in the garbage.  

Hopefully the mailer did not have seeds in it. 

 

[Jackdaws]

Just now, RememberSchiff said:

Hopefully the mailer did not have seeds in it. 

 

LOL.  It was just a card no envelope. 

[John-in-KC]

17 hours ago, Jameson76 said:

First question, why is this from the CTO (I assume of the BSA but it does not actually specify) and not our new BSA President?  Either you OWN what happens on your watch or you don't.  Guess he doesn't.  Candidly not assured (even though they told me twice to be assured).  Well, we were notified promptly 174 DAYS after the initial breach.  That is some fine detecting work there Lou.  Pretty sure all that background detail everyone sent in at the end of the year is in a SUPER SECRET file that nobody can get to 😝

 

 

This is industry practice. The CTO owns the technology decisions.

[John-in-KC]

The info was destroyed by the hackers. Right. 
 

we are going to get flooded in crap by the ambulance chasers. 

[RememberSchiff]

1 hour ago, John-in-KC said:

This is industry practice. The CTO owns the technology decisions.

Victimized organizations*  should  press Blackbaud to provide  third  party identity and  credit monitoring. 

* Which organization will lead? My money  (again $0.02) is on  Boys & Girls Club of Delaware