BSA Member, Donor, Alumni Data Impacted by Blackbaud Data Security Incident

[walk in the woods]

It would be nice to know exactly what Blackbaud services were being used by BSA?  Was this membership management?  FOS donors?  Other donors?

I wonder if Blackbaud's bigger concern right now isn't identifying all the EU citizens in that stolen data for GDPR compliance purposes.  Unless they didn't have any, or quietly notified them of the breach, I think they are long past the required notification window.

[RememberSchiff]

7/30/2020 :  Related or coincidence, the BSA gave notice to the Bankruptcy Court that they are retaining and compensating

Baker & Hostetler LLP to serve as legal counsel with regard to data privacy issues.

https://casedocs.omniagentsolutions.com/cmsvol2/pub_47373/836594_1056.pdf

BakerHostetler National Privacy and Data Protection Team

"...the elite team of attorneys is consistently selected by general counsel worldwide to address their most critical issues. Providing a full range of practical, strategic advice across a myriad of industries in key cities with global reach, the team’s comprehensive experience includes working on nearly 25 percent of all data breaches reported in the last year."

https://www.bakerlaw.com/press/bakerhostetlers-national-privacy-and-data-protection-team-named-a-practice-group-of-the-year

Edited July 30, 2020 by RememberSchiff

[SSScout]

*sigh*.  I guess the days of worrying about one's good word and reputation as being as good as a handshake are over ?   There is a local story about a US soldier in London during the Blitz needing some cash, so he wrote a "check"  on a local US bank on a scrap of paper (the legend says a cigarette pack wrapper) and the London bank cashed it on sight owing to the reputation of the bank in question. 

  My dad trusted the cash in his pocket, but used the banks , and they knew him.  His reputation is what got me my first car loan.  Same bank.....

Then too,  one might worry about forgetting where one buried that Mason jar full of     Grants or  Franklins  and Clevelands......   

[MikeS72]

2 hours ago, SSScout said:

Then too,  one might worry about forgetting where one buried that Mason jar full of Grants or  Franklins  and Clevelands.....

Don't have to worry about that, never possessed anything above a Franklin, although I did hide one of those in an old metal 35mm metal film canister while on camp staff back in 74.  End of summer rolled around, and for the life of me, I could not remember where I hid it.  🙁🙁

 

Edited July 31, 2020 by MikeS72

[IndyScouter]

23 hours ago, MikeS72 said:

Don't have to worry about that, never possessed anything above a Franklin, although I did hide one of those in an old metal 35mm metal film canister while on camp staff back in 74.  End of summer rolled around, and for the life of me, I could not remember where I hid it.  🙁🙁

 

What camp did you say you worked at again?  I think a treasure hunt into unknown woods sounds more fun than teaching my classroom of masked students next week.  Hmmm...I could make it a field trip!  😁.  I just need 30 shovels and a tape measure for social distancing.  

[RememberSchiff]

On 7/30/2020 at 2:35 PM, RememberSchiff said:

Victimized organizations*  should  press Blackbaud to provide  third  party identity and  credit monitoring. 

* Which organization will lead? My money  (again $0.02) is on  Boys & Girls Club of Delaware  

Update:   https://www.scouting.org/blackbaud-data-incident/

"...Nevertheless, out of an abundance of caution, the BSA reminds you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:

• Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
• Experian, PO Box 2002, Allen, TX 75013, www.experian.com, 1-888-397-3742
• TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-916-8800

Please know that the BSA takes the security of your information very seriously and shares your concern about this incident. Blackbaud has already implemented changes to its security controls to better protect against a potential future attack, and the BSA is working with Blackbaud and other resources to assess the best path forward..."

What some were doing on their own. No identity protection? Seems lacking given severity of breach.

Edited August 21, 2020 by RememberSchiff

[RememberSchiff]

Update Sep 29,2020: 

Hackers may have gotten access to individuals' bank and Social Security information in a ransomware attack over the summer on a data storage and software provider that serves dozens of Texas nonprofits and universities.

“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords," Blackbaud Inc. disclosed in a regulatory filing this week. "In most cases, fields intended for sensitive information were encrypted and not accessible.”     

In an updated notice on its website, Blackbaud said that its new findings “do not apply to all customers who were involved in the incident” and that it had contacted potentially affected customers.

“We sincerely apologize that this happened and will continue to partner closely with our customers as we jointly navigate this cybercrime incident,” Blackbaud said in a statement on its site.

Sources:

https://www.dallasnews.com/business/technology/2020/10/01/blackbaud-hackers-may-have-accessed-social-security-bank-info-in-attack-affecting-texas-institutions/

https://www.blackbaud.com/securityincident

[John-in-KC]

So, was BSA’s data part of the SSN and bank info taken?

[RememberSchiff]

That is a question for the BSA as they are Blackbaud's customer. 

My point, there was more to the breach than Blackbaud initially released and the extent of this new information, whether  there was no more damage or SSN's compromised to customer BSA, was reported Sep 27, to customer BSA . IMO, the BSA should append an update to https://www.scouting.org/blackbaud-data-incident/  letting us know. 

Sept 29, 2020 "Security Incident" from Blackbaud website

• further forensic investigation ( occurred after July 16) found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the incident. Customers who this applies to who we believe are using these fields for such information were contacted the week of September 27, 2020 and were provided with additional support.

We sincerely apologize that this happened and will continue to partner closely with our customers as we jointly navigate this cybercrime incident.