A ransom paid to shut down a data breach placed a Charleston technology company center-stage in international news and set off frustrations from many of its customers.
Blackbaud Inc. notified the public of the ransomware attack in mid-July. The company says the cybercriminals sent confirmation the data they swiped from its servers was destroyed. But that hasn't stopped customers from worrying about the aftereffects.
At the end of last year, Daniel Island-based Blackbaud told investors it had roughly 45,000 customers in 100 countries. The software the nearly 40-year-old company sells helps nonprofits, churches and schools manage their operations, including donor databases.
The incident is one example in a growing trend of ransomware attacks against companies large and small. The number of clients affected and their respective reaches in education and the nonprofit sector amplified news of the attack.
The hack triggered breach notices from prominent schools, foundations and others, raised speculation that Blackbaud violated new data privacy laws and has spurred at least three lawsuits against the company.
During a call with investors July 30, Blackbaud CEO Mike Gianoni apologized for the attack. He said the company typically intercepts millions of intrusion attempts each month.
"Unfortunately, one got in to a subset of our customers and a subset of our backup environment," he said. "We have no reason to believe that any data went beyond the cybercriminal or will be disseminated or made available publicly."
Security has been tested and shored up, Gianoni added.
The company contacted the Federal Bureau of Investigation following the breach. It assured customers the theft did not include any bank account, Social Security or credit card details, because that information was encrypted — an added layer of security.
Blackbaud has been criticized for what has been perceived as a delay in disclosing the attack to customers. The company countered that it acted as quickly as it could.
"We notified customers within a matter of days after confirming how they were part of the incident," a spokeswoman said in a statement.
The company laid out a timeline of events: It first learned of the attack on May 14, though reports from its customers indicate it began in February. Six days later, the company says it had contained the attack. The attacker wasn't able to steal control of the company's internal systems, but was able to extract data. The unidentified cybercriminal stopped trying to get back in to the Blackbaud system by June 3.
Blackbaud had an official report from a third-party forensic assessor in-hand at the end of June. A spokeswoman said the company's experts then had to conduct an analysis to determine which accounts were affected and what information they would need to know about the breach, which took until July 9.
Seven days later, it began notifying customers.
Blackbaud's customers reported losing contact information, email and physical addresses as well as donors' giving histories. And at least one customer, Vermont Public Radio, sent letters to some donors in August warning images of checks with bank numbers printed on them could have been part of the breach.
Ransomware on the rise
Many of Blackbaud's customers needed to tell their own constituents of the problem, given it was those people's personal information on the line. Messages are still trickling out.
Customers of Blackbaud affected by the breach number too many to list. The BBC reported at least 125 organizations were affected by the incident in the United Kingdom. Victims included the National Trust, a 125-year-old group that promotes the preservation of historic places. The breach tipped off an investigation at the trust, according to the BBC.
The University of South Carolina also lost data in the breach, as did regional hospitals.
Terry McGraw, president of the cybersecurity firm PC Matic Federal, spent 27 years in the U.S. Army, a portion of which he spent leading cyberwarfare operations and counterintelligence. One of PC Matic's headquarters is based in Myrtle Beach, as well as its CEO Rob Cheng.
Ransomware has become the most common tool cyber criminals use to get paid for their attacks, McGraw said. Bad actors can use technology readily available for purchase.
"All you need is a desire to commit crime," he said.
In Blackbaud's case, McGraw said the criminal probably researched the company and learned it had a large base of customers with vulnerable information. He credited the Charleston firm's cybersecurity experts with stopping the attack before it got worse.
"This is probably a thought-out attack. Someone was working at getting in," he said. "The fact that they caught it and limited this breach before it locked up the entire environment — that speaks pretty well to their cyber team."
Blackbaud hasn't disclosed how much it paid the criminals. If it was material to the publicly traded company, it would have to be disclosed to investors and reported to the U.S. Securities and Exchange Commission.
But data breaches can cost businesses $3.9 million on average, according to a global study from IBM released in July. And the expenses can linger. On average, it takes businesses 280 days to identify and stop attacks.
Just last week, the major nonprofit hospital systems Roper St. Francis in Charleston and Atrium Health in Charlotte let their donors know about the breach.
Blackbaud hosts Roper's fundraising platform, the health care provider wrote in a notice Tuesday. Though the breach only affected donors — not its entire patient population — the health system told patients that some of their information could have been in the donor database. That includes names, dates and locations of treatment.
"To help prevent something like this from happening again, we are reviewing how information is stored with third-party vendors and are re-evaluating our relationship with Blackbaud," according to the notice.
The Charleston-based hospital system was not the only organization to say it is reconsidering its contracts with the company. Some said it took too long for Blackbaud to let its customers know about the breach.
Planned Parenthood sent an email blast to its members saying it was "extremely dissatisfied" by the delay in notification and "lack of transparency."
"Planned Parenthood's service agreements with Blackbaud require them to employ stringent security measures to protect the data of our supporters, and this breach has violated those agreements," Jethro Miller, chief development officer for Planned Parenthood, wrote.
A spokeswoman for the national Planned Parenthood office, which represents multiple affiliates that were affected by the breach, said the organization has been working closely with Blackbaud since July to "assess the data impacted and prevent further incidents."
"As our work with Blackbaud to address the situation continues, each affiliate will make their own determination as to whether or not to continue work with the firm," she said.
Mark Swearingen, an attorney in Indianapolis advising about 20 organizations affected by the breach, said Blackbaud's customers have to navigate a complex patchwork of state laws that have different rules about cyberattack notifications.
Swearingen said because Social Security or credit card information wasn't compromised, a top concern is that cybercriminals could impersonate a charity and reach out to established donors to solicit a contribution.
That concern persists even though Blackbaud paid the ransom, Swearingen said, because it is difficult to verify the cyberthief destroyed the breached data as promised.
"There's really no way to objectively verify that, and you're relying on the word of someone who is stealing from you," he said.
Another layer of complication is that customers have to rely on the company to provide information about the attack. Swearingen encouraged any organization affected to seek guidance on notifying customers and securing information.
Neal Bridges is global head of cybersecurity operations for Chicago firm Mondelez International, which he said is working to bring security options to nonprofits and small businesses. He said professionals in his field are always evaluating how companies respond to breaches like Blackbaud's. The Charleston company's news was the topic of conversation on Cyber Insecurity, a podcast Bridges co-hosts.
Bridges noted when a 17-year-old hacked famous Twitter accounts in July, the social media company acknowledged the attack was happening in real time.
"We want to see that level of transparency," Bridges said.
The statement Blackbaud issued in July, which did not include specifics of what weakness was exploited or what data was stolen, did not meet those standards of transparency, he said.
One of the reasons companies don't tend to readily admit fault, Bridges said: Concerns about potential lawsuits.
Lawyers acted quickly on news of the breach. A North Carolina resident filed a first lawsuit seeking class-action status in U.S. District Court in Charleston against Blackbaud on Aug. 12. A second complaint from a Minnesota resident joined the queue Sept. 4.
And two California residents allege in a third lawsuit filed Wednesday that despite the company's assurances, the hackers were able to access their Social Security numbers. The suit also alleges violations of a new data privacy law in California that took effect in January.
All of the plaintiffs said they were notified that their personal information was lost in the attack, and they allege Blackbaud could have stopped the breach but failed to do so.
The lawsuits also state Blackbaud has not offered credit monitoring.
The company has not yet filed formal responses to the complaints.
Bridges said many in the cybersecurity industry have questioned whether Blackbaud's response to the attack violated the new privacy laws in California and the European Union, which generally require firms to report breaches within 72 hours. The EU law, called the General Data Protection Regulation, went into effect in May 2018.
Companies based around the world have to heed the rules if they do business in those places. In response to the newspaper's questions about whether its notification process violated the GDPR, Blackbaud's spokeswoman said they followed the letter of the law by telling clients without "undue delay," though she acknowledged "a fair number" of customers have asked about the rules.
Blackbaud — like any company that deals in the personal data of its customers — was aware navigating the new laws could pose challenges. The firm outlined the risk in its annual report to the U.S. Securities and Exchange Commission in February.
"If a breach of data security were to occur, or other violation of privacy or data protection laws and regulations were to be alleged, our business may be materially and adversely impacted and solutions may be perceived as less desirable," the company wrote in the disclosure.
If the company does lose business over the breach, it isn't showing in the balance sheet yet: Sales in the second quarter of the year were up about 4 percent.