With this article on the Blackbaud Data Breach, we conclude the final chapter of a story that SuspectFile has been following for three years, but not before updating our table with the number of people involved in the data breach at the University of Birmingham – UK (464,395), a figure that was only recently provided to us by the university.
Just as we had done with other educational institutions, we had submitted (in November 2020) a request for information to the University of Birmingham under the Freedom of Information Act 2000 (FOIA 2000), regarding the number of people affected and the type of documents compromised during the Blackbaud data breach.
Their response reached us on August 25th, albeit with considerable delay. It is precisely for this reason that SuspectFile wishes to thank the University for the seriousness, correctness, and professionalism demonstrated, first and foremost, to their students and staff, and ultimately to us. Here is what they replied.
Dear Mr De Felice
Further to your request for information, please see the attached response. Please accept our sincere apologies for the time taken to respond to your query, further details of which are set out in the attached response.
If you have any queries about this email, please contact us. Please remember to quote the reference number above in any future communications.
Freedom of Information Team
University of Birmingham
In the email, we are also provided with an official document containing the respective responses regarding the total number of people involved and the type of information taken from Blackbaud’s servers. All the data related to the University of Birmingham has been updated and can be found in the table at the end of the article.
A slightly different situation occurred when we requested information under FOIA 2000 from Staffordshire University – UK.
On November 16, 2020, we had sent an initial FOIA 2000 request to an incorrect email address. On November 30, we sent a new request for information to the correct email address, email@example.com. Then, a second and a third email were sent on February 9 and April 16, 2021, respectively. We received responses that we deemed unsatisfactory. In one of their response emails, it was essentially stated that we could find the answers to our questions at this URL https://www.bbc.co.uk/news/technology-53567699. Clearly, if we had found the BBC article to be comprehensive, we would not have sent three emails to Staffordshire University.
We therefore deemed it necessary to request the intervention of the Information Commissioner’s Office (ICO), and only after their involvement, on August 3 (9 months after our first email!), were we able to receive a response from Staffordshire University.
In their response, they again provided the URL to the BBC article and also “pasted” the text of the notification that the University had sent to the individuals affected by the data breach, with the data that the University believed could have been compromised: name, address, email, phone number, date of birth, maiden name, and class membership. However, no information about the number of people affected was reported. You can find this update in the table at the end of the article.
During these three years, we have tried, to the best of our ability, to provide a useful service to the individuals and entities involved in this colossal data breach. According to the NonProfit Times, this breach affected over 13,000 entities. Blackbaud is an American company based in Charleston, South Carolina, and is a global provider of software for donor relationship management to various non-profit organizations, including charities, higher education institutions, primary schools, healthcare organizations, religious organizations, and cultural organizations, with a portfolio (in 2020) of over 45,000 clients in more than 100 countries.
We believe that this incident was one of the largest data breaches in the last 10 years, both in terms of the number of businesses and the number of people affected. It is estimated that the total number of individuals affected worldwide may have been over 50 million. To better understand the seriousness of the data breach, it’s like if all the residents of the state of Texas (29 million) plus all those in the state of Florida (21 million) were affected by the Blackbaud Data Breach (population data for the two U.S. states is based on 2020 figures).
As we were able to report in this article from 2020, titled “Blackbaud Data Breach: University / College / K-12,” in February 2020, the U.S. multinational company Blackbaud fell victim to a massive cyberattack.
Among the data in our possession and those recorded by Dissent from DataBreaches.net, as of today, 543 victims have been identified and made public domain knowledge, including educational, healthcare, and non-profit institutions, involving a total of 19,350,513 individuals (updated with the latest data from the University of Birmingham – UK).
It’s important to note that the mentioned data is based solely on the information provided by victims who reported unauthorized indirect access to their State Attorneys General. This accounts for 4.18% (543) of the total entities involved, which, as mentioned previously, exceeded 13,000.
On February 7, 2020, Blackbaud experienced a cyberattack on its servers by an unidentified ransomware group. The American multinational decided to pay the ransom but only reported the data theft on May 20 of the same year. For four months, the (indirectly) affected entities remained unaware of the breach.
After Blackbaud’s initial (misleading) communication, we recorded the first comments from victims on some forums expressing disappointment in the company’s handling of the crisis by its leadership.
In September of the same year, Blackbaud, against its will, found itself forced to retract its initial statements about the severity of the data breach and issued a second official statement considering the possibility that other sensitive data may have been exfiltrated by the cybercriminal group, as we had reported in this other article from November 2020.
We would like to remind you that in August 2020, Blackbaud, upon a specific request from the Securities and Exchange Commission (SEC), had omitted to disclose that sensitive information was among the data exfiltrated during the cyberattack.
Here is the statement by David Hirsch, head of the Crypto Assets and Cyber Unit of the SEC Enforcement Division.
“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous. Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Also, due to these omissions, in March 2023, Blackbaud was held responsible by the SEC for the mishandling and inadequate protection of sensitive data of its investors. As a result, they were fined $3 million, as determined by Judgment Number 33-11165 dated March 9, 2023. We recommend reading the full judgment as it is the only way to understand the many mistakes made by Blackbaud. You will also grasp the superficiality with which the company’s IT department handled the data verification operations after the cybercriminal group’s breach, among other issues.
In a passage from the Form 10-Q, the quarterly statement that publicly traded companies in the United States are required to submit to the Securities and Exchange Commission, filed by Blackbaud on August 4, for the second fiscal quarter of 2020, there is a paradoxical statement from Blackbaud (page 44).
“A compromise of our data security that results in customer or donor
personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties”.
This statement from Blackbaud leaves no room for subjective interpretation. The American multinational initially attempted to conceal part of the truth regarding the sensitive data stolen (protected medical information, SSNs, donor bank account numbers, identification documents, driver’s licenses), doing so in the hope of avoiding collective compensation claims.
There were, in fact, Class Actions (at least 15). Below are just a few examples
- Mortensen vs Blackbaud
- Bishop vs Blackbaud
- Imhof vs Blackbaud
- Carpenella vs Blackbaud
- Allen vs Blackbaud
Finally, we would like to highlight another document related to a Class Action filed by a minor, at the time of the incident, against the Rady Children’s Hospital-San Diego, CA (a regional hospital dedicated exclusively to pediatric healthcare. It is the largest pediatric hospital in California based on admissions). In this case, the lawsuit was filed directly against the organization that used Blackbaud software.
With this latest article of ours, we conclude “the Blackbaud case,” which should serve as a lesson to all organizations, both public and private, that store sensitive data in digital format within their servers.
The conduct of Blackbaud knowingly harmed thousands of organizations and tens of millions of people worldwide who had placed their trust in them. Furthermore, we believe that Blackbaud’s conduct appears even more reprehensible after reading the reasons behind the judgment of the Securities and Exchange Commission. However, with all due respect, we consider that the imposed fine is not commensurate with the seriousness of the events caused by the South Carolina multinational.
We want to thank @Dissent from DataBreaches.net for the commendable work done in obtaining information regarding the victims of the American medical institutions involved. We also thank her for the valuable information she provided concerning U.S. Federal laws.