More victims are coming out of the open voluntarily disclosing that they have been indirectly and directly affected by the recent Blackbaud breach. Blackbaud, the service provider of a financial management software recently paid a ransom for a notorious ransomware group to avoid the following:
- Permanent data encryption
- Dumping the affected data out in public
Ransom Paid by Blackbaud
As a researcher, I can say that ransomware threats are to be taken seriously for any demands and the direct result of not paying for the ransom. In this case, according to Blackbaud’s disclosure, they did process the payment. However, the exact amount remains a mystery. Our team searched the Dark Web and any related sites in the Clearnet. As a result of the search, there is no evidence of information being leaked. It is safe to assume that the ransomware group fulfilled the end of the bargain.
Who are the affected universities that were affected? According to the BCC (British Broadcasting Network) the list is as follow:
- University of Birmingham
- De Montfort University
- University of Strathclyde
- University of Exeter
- University of York
- Oxford Brookes University
- Loughborough University
- University of Leeds
- University of London
- University of Reading
- University College, Oxford
- Middlebury College, Vermont
- West Virginia University
- New College of Florida
- Cheverus High School: Catholic High School Portland
- The Bishop Strachan School, Canada
- University of North Florida
- Ambrose University, Alberta, Canada
- Rhode Island School of Design, US
- Choir with No Name
- Vermont Foodbank
- Vermont Public Radio
- Northwest Immigrant Rights Project
- Human Rights Watch
- Young Minds
Other institutions that were affected are charities and similar educational institutions. Those that were affected by the payload of the malware got the Personal Identifiable information of the following:
- Confirmed individual contributors of charities and universities
- School staff in some cases
- Students in some universities
- Minimally other supporters were also exposed
Blackbaud’s position
Blackbaud retains its narrative that the majority of its partners and customers are not affected. Based on the current digital landscape, it appears Blackbaud is telling the truth because there is no evidence to back up that the breach was that severe.
As a cybersecurity expert, we do not advise paying the ransom. The black and white approach in this situation is not applicable. Why? It is because the data privacy laws internationally may hold Blackbaud accountable in any case that the data dumps were publicly released, whether marketed in the Dark Web Marketplace or worse, issued for free for anyone to feast.
Lawsuits for not protecting the data
Myriads of lawsuits could have been launched directly to Blackbaud in any case they did not pay for the ransom. Consequentially, not paying the ransom will land them in hotter waters, because if the data will remain encrypted, yet publicly released. Partners and customers alike will seek compensation through lawsuits. What are the risks of lawsuits? Let me enumerate in a limited point of view:
- Lost of funds and time spent on legal proceedings and settlement payments.
- Reputational damage for each lawsuit mounted.
- Lost of business confidence in the international stage.
- Possibility of losing clients.
iZOOlogic aims to protect the brands of each industry it can in the digital landscape. We can also provide adequate knowledge on how to further safeguard brands beyond the internet. Paying the ransom is not entirely correct. But with the situation that they are involved, it is best to not invite lawsuits from different organizations. We always have our clients in mind, to strictly follow the FBI, and EUROPOL’s advice is suicide for the business in the current situation.
