Charities and not-for-profits are hacked because of the Blackbaud ransomware attack
11th August 2020
Dozens of charities, universities and not-for-profit organisations in the UK, US and Canada have fallen victim to a high level cyber-attack. Their vulnerability to the attack was a result of their software supplier Blackbaud (the world’s largest provider of education administration, fundraising, and financial management software) being held to ransom by hackers in May.
Although Blackbaud has not yet revealed just how major the breach was, they have been widely criticised for not taking action quickly enough to warn their clients their data had been compromised.
The stolen data includes names, phone numbers and donation and event attendance histories but thankfully their credit card and other payment details do not appear to have been taken. Blackbaud have also been quick to underline their popular fundraising platform JustGiving was not affected by the hack.
In a statement Blackbaud told the press that they had “discovered and stopped a ransomware attack” in May 2020 but “the majority of our customers were not part of this incident”. They then admitted the hackers had “removed a copy of a subset of data from our self-hosted environment” and had been told that data would be destroyed if they paid the ransom. Blackbaud confirmed the ransom had been paid but is still unclear as to whether the criminals have kept their word.
However, even though Blackbaud has apologised publicly and contacted all of the affected parties, questions are rightfully being asked why it has taken them almost two months to admit the breach. The time lag is particularly pertinent given the General Data Protection Regulation (GDPR) states any company must report any breach within 72 hours or face heavy fines.
This incident unfortunately illustrates a worrying trend in the charity world. According to a recent study published by the Department for Digital, Culture, Media and Sport almost a quarter of our charities were hit by some form of cyber-attack during 2019, a rise of nearly 5% on the previous year.
The study also reported that higher income charities were more likely to be attacked as 57% of charities with annual incomes of £500,000 or more had been targeted during the previous 12 months.
Although preventing cyber-attacks is a specialist field here are 4 preventative steps we’d recommend every charity takes:
- Keep your protection software up to date
Criminals keep up to date and will exploit any cracks left by the latest software updates.
- Keep your staff up to date
Make sure your staff know about current threats and the latest scams and give them practical tips that will help them avoid them.
- Implement an easy-to-use reporting process
If your staff has any concerns you need to make sure reporting them is as quick, easy and effective as possible so you can act immediately.
- Only use strong passwords
And change your strong passwords (passwords with more than 12 characters and includes numbers, symbols and a mix of capitals lower-case letters) regularly and make sure they are stored and shared safely.
If you have questions regarding any aspect of your charities financials or accounts (or would like our suggestions as to who you could speak to if data security is a concern) please email firstname.lastname@example.org or call Robert on 0116 282 7000.