UPDATE (2) del 31.03.2021 Blackbaud Data Breach: University / College / K-12 (Terza Parte) - SuspectFile
UPDATE (2) of 03.31.2021 Blackbaud Data Breach: University / College / K-12 (Third Party)
Marco A. De Felice aka amvinfe March 31, 2021 No Comments BlackbaudData Breachdata theftK-12 Data BreachMaze RansomwareRansomwareUniversity Data Breach
Facebook Twitter
UPDATE (2) del 31.03.2021
Total number of people involved 7,908,580 (+216,784)
In the update of 03.31.2021, 17 new Institutions affected by the Blackbaud Data Breach are added. Furthermore, 6 educational institutions already reported by SuspectFile are updated with definitive data.
As of 28.02.2021, the total number of persons involved in the loss of personal data was 7,691,796 . In March, 17 new educational institutions affected by the Blackbaud data breach were identified by SuspectFile . As of March 31, 2021, the new number rises from 437 to 454.
SuspectFile has also updated the partial numbers of 6 previously reported institutions , this latest update has significantly increased the total number of people involved in the Blackbaud data brecah.
New institutions (17)
13 K-12
Holderness School Holderness – New Hampshire
Washington International School di Washington – DC
La Jolla Country Day School La Jolla - California
Xavier High School di Middletown – Connecticut
Rumsey Hall School Washington Depot – Connecticut
Landmark Christian School Atlanta – Georgia
Galloway Schools Atlanta - Georgia
The Peck School Morristown – New Jersey
Stanley Clark School South Bend – Indiana
La Buckley School New York – New York
Millbrook School Millbrook – New York
Santa Catalina School Monterey – California
Maryknoll School Honolulu – Hawaii
2 Universities
Norwich University Northfield – Vermont
Barry University Miami – Florida
2 College
Boston College High School di Boston – Massachusetts
St. Agnes Academy Houston - Texas
Update with the final data of 6 Institutions already reported by SuspectFile
Utrecht University Utrecht - The Netherlands 6,000 ➤ 185,000
Norwood School Bethesda – Maryland 1 ➤ 827
Fort Hays State University Hays Foundation - Kansas 127 ➤ 796
Colgate Rochester Crozer Divinity School Rochester – New York 7 ➤ 1.152
Trinity Christian College Palos Heights – Illinois 2 ➤ 788
The Oakwood School Greenville – North Carolina 0 ➤ 2.330
NB: in the table at the bottom of the page, which lists all the institutions involved in the data breach, both the 17 new entities and the 6 updated with the final data have been included.
The next update will be released in late April.
UPDATE (1) del 28.02.2021
Total number of people involved 7,691,796 (+17,656)
In the update of 28.02.2021, 18 new Institutions affected by the Blackbaud Data Breach are added.
As of 07.02.2021 the total number of people involved in the loss of personal data was 7,674,140 . After the notifications that SuspectFile has collected, as of 02.28.2021 the number of interested persons has increased by 17,656 units, bringing the total to 7,691,796 , as well as the number of institutions affected which has increased from 419 to 437.
Below is the list of entities that in the last few weeks have notified the loss of data to the Attorneys General of their respective states:
12 K-12
Norwood School Bethesda – Maryland
St. Luke's School in New Canaan - Connecticut
San Francisco University High School di San Francisco – California
Rutgers Preparatory School Somerset – New Jersey
St. Mary’s Episcopal Day School di Hartsdale – New York
La Leffell School Hartsdale - Long Island
Brookville Lutheran Middle and High School - New York
Laurel School Shaker Heights – Ohio
The Oakwood School Greenville – Carolina del Nord
Parish Episcopal School Dallas - Texas
Colgate Rochester Crozer Divinity School Rochester – New York
The Winsor School Boston – Massachusetts
3 Universities
City University of New York New York City – New Yor
Kennesaw State University Kennesaw – Georgia
Fort Hays State University Hays Foundation - Kansas
3 College
Berwick Academy South Berwick
Trinity Christian College Palos Heights – Illinois
Vermont State Colleges Montpelier – Vermont
NB: in the table at the bottom of the page, which lists all the institutions involved in the data breach, the 18 new entities have already been entered.
The next update will be released at the end of March.
Exactly one year ago, on February 7, 2020, a group of hackers managed to break into Blackbaud's computer systems by stealing millions of data from the servers of the American multinational, a world leader in the cloud computing sector .
After having previously written about the Blackbaud Data Breach which involved FOUNDATIONS and HOSPITAL STRUCTURES , in this third part I will try to explain, with numbers, what were the damages suffered by Universities, Colleges and K-12 . To do this, I used data that I have collected in the last 6 months, and that I have included in a file available at the end of this article.
These are the numbers:
419 is the (partial) number of Universities / Colleges / K-12 involved in the Blackbaud Data Breach
7,674,140 is the number of people involved
172 the entities for which I can provide the definitive number of people involved
87 the entities for which I can provide the partial number of persons involved
160 entities for which I cannot provide the numbers of the people involved
A very long job that required many weeks of research within the various institutional sites of the US Attorneys General (I thank the offices of the Attorney General of the States of Indiana and New Mexico for the assistance shown), of those of the Universities , College, K-12 and crossovers and checks with thousands of data.
I thank all the institutions of the UK and Ireland for providing me with the requested data. I also thank all the Institutions who, "relying on" some articles in the "Freedom of Information Act 2000" or the "Freedom of Information (Scotland) Act 2002", have decided not to provide them to me. A legitimate choice which I respect, but which I do not agree with: transparency should be a cornerstone especially when it comes to public institutions.
On February 7, 2020, according to official statements released by Blackbaud, a group of hackers had managed to break into the company's computer systems and steal a subset of data from some servers. On May 20 , then after more than three months during which the hackers were able to act undisturbed, the Blackbaud IT staff finally detected unauthorized access within their IT structure.
On July 16, 2020, Blackbaud publishes the first press release on its website . In the first statement, which took place more than two months after the discovery of the data theft, the multinational reassured its customers by stating that no type of Personally Identifiable Information ( PII ) was affected by the Data Breach.
Blackbaud
First Blackbaud press release dated 16.07.2020
After four days, in a forum of an American nonprofit association of IT professionals in higher education , there are the first strong criticisms on the work of Blackbaud concerning above all the time spent in reporting the Data Breach, but also the scarce information provided to those directly involved. Dozens of American universities and colleges took part in the open discussion in the forum.
The discussion then continued privately, outside the public forum. Here are some screenshots.
On September 29, Blackbaud publishes a second statement denying itself, declaring that the theft of data from the subset also affects PII data including bank account information, social security numbers, usernames and / or passwords .
According to Blackbaud press release of 09.29.2020
From my research I have been able to ascertain that for many universities, colleges and K-12 data theft has also affected medical information, passport numbers, driving license numbers and Tax ID number (TIN). The research also revealed that Blackbaud, for some affected entities, had kept old backups on its servers.
The Cathedral Catholic High School of San Diego - California stated that on the servers of the American multinational there were several backups with unencrypted PII data 15 years old. At the Shady Hill School in Cambridge, Massachusetts (823 individuals affected) , unencrypted data, including PII type , was stored in a database prior to 2012 and linked to obsolete versions of the Blackbaud "Raiser's Edge" and "Financial Edge" software used by school.
For other universities, such as St. Francis Catholic High School in Sacramento - California, Delft University of Technology (60,000 people involved) and Utrecht University (6,000 people involved) in the Netherlands, the backups dated back to 2017.
In many other cases, the Institutions were unaware of the existence of databases containing unencrypted sensitive information of their staff and students kept by Blackbaud on their servers. This is the case of the Westminster School in Simsbury , Connecticut , where the PII type data of 802 people were stored on the servers of the American multinational without the school being aware of it.
Another institution that did not know of the existence of an unencrypted database containing PII information of its staff and students is the Avon Old Farms School in Avon also in Connecticut . In this case the number of people involved are 2,804
The conservation of highly sensitive unencrypted data in obsolete databases or worse, the conservation of unprotected data without the knowledge of those directly concerned, is the exact opposite of correct business management.
In addition to this we can record the bad management by Blackbaud regarding the management, the ways and above all the times of sending notifications to the Institutions affected in the Data Breach. A delay that has forced US universities, colleges and K-12 institutions to deliver notifications to their staff, students and Attorneys General, in many cases only during the last few weeks.
Here are some eloquent examples:
Bishop Moore Catholic High School Orlando, Florida (5.981 persone coinvolte)
- notifications sent on 29.01.2021 (residents in the State of Maine)
Landon School Bethesda, Maryland (4,612 people involved):
- notifications sent on 22.01.2021 (residents in the states of Massachusetts, Maine, Vermont, New Hampshire)
The Archer School for Girls Los Angeles, California (6.385 persone coinvolte)
- notifications sent on 13.01.2021 (residents in the states of Maine, Indiana, New Hampshire, Vermont)
One year later, we still don't know what the total number of entities affected is and what the total number of people whose sensitive data has been exfiltrated. Blackbaud after paying the ransom demanded by the hackers you never wanted to reveal the real impact it had on their customers, just as you never made it clear which Ransomware group it was.
Many hypotheses have been made about the name, my belief has always been that behind this cyber attack there was Maze, a group that has not been active for a few months now.
With regard to the numbers of those affected, we know with certainty that, to date, the partial figure exceeds 20 million. Not forgetting those affected in hospitals that are close to 11 million as Dissent ( @PogoWasRight ) of DataBreaches.net told us and those of the Foundations on which we have no reliable data.
In the tab below I have collected the sensitive data and the number of people involved in 419 educational institutions affected by the Blackbaud Data Breach, entities present in the US, Canada, New Zealand, UK, Ireland, Netherlands, Hungary.
Marco A. De Felice aka amvinfe March 31, 2021 No Comments BlackbaudData Breachdata theftK-12 Data BreachMaze RansomwareRansomwareUniversity Data Breach
Facebook Twitter
UPDATE (2) del 31.03.2021
Total number of people involved 7,908,580 (+216,784)
In the update of 03.31.2021, 17 new Institutions affected by the Blackbaud Data Breach are added. Furthermore, 6 educational institutions already reported by SuspectFile are updated with definitive data.
As of 28.02.2021, the total number of persons involved in the loss of personal data was 7,691,796 . In March, 17 new educational institutions affected by the Blackbaud data breach were identified by SuspectFile . As of March 31, 2021, the new number rises from 437 to 454.
SuspectFile has also updated the partial numbers of 6 previously reported institutions , this latest update has significantly increased the total number of people involved in the Blackbaud data brecah.
New institutions (17)
13 K-12
Holderness School Holderness – New Hampshire
Washington International School di Washington – DC
La Jolla Country Day School La Jolla - California
Xavier High School di Middletown – Connecticut
Rumsey Hall School Washington Depot – Connecticut
Landmark Christian School Atlanta – Georgia
Galloway Schools Atlanta - Georgia
The Peck School Morristown – New Jersey
Stanley Clark School South Bend – Indiana
La Buckley School New York – New York
Millbrook School Millbrook – New York
Santa Catalina School Monterey – California
Maryknoll School Honolulu – Hawaii
2 Universities
Norwich University Northfield – Vermont
Barry University Miami – Florida
2 College
Boston College High School di Boston – Massachusetts
St. Agnes Academy Houston - Texas
Update with the final data of 6 Institutions already reported by SuspectFile
Utrecht University Utrecht - The Netherlands 6,000 ➤ 185,000
Norwood School Bethesda – Maryland 1 ➤ 827
Fort Hays State University Hays Foundation - Kansas 127 ➤ 796
Colgate Rochester Crozer Divinity School Rochester – New York 7 ➤ 1.152
Trinity Christian College Palos Heights – Illinois 2 ➤ 788
The Oakwood School Greenville – North Carolina 0 ➤ 2.330
NB: in the table at the bottom of the page, which lists all the institutions involved in the data breach, both the 17 new entities and the 6 updated with the final data have been included.
The next update will be released in late April.
UPDATE (1) del 28.02.2021
Total number of people involved 7,691,796 (+17,656)
In the update of 28.02.2021, 18 new Institutions affected by the Blackbaud Data Breach are added.
As of 07.02.2021 the total number of people involved in the loss of personal data was 7,674,140 . After the notifications that SuspectFile has collected, as of 02.28.2021 the number of interested persons has increased by 17,656 units, bringing the total to 7,691,796 , as well as the number of institutions affected which has increased from 419 to 437.
Below is the list of entities that in the last few weeks have notified the loss of data to the Attorneys General of their respective states:
12 K-12
Norwood School Bethesda – Maryland
St. Luke's School in New Canaan - Connecticut
San Francisco University High School di San Francisco – California
Rutgers Preparatory School Somerset – New Jersey
St. Mary’s Episcopal Day School di Hartsdale – New York
La Leffell School Hartsdale - Long Island
Brookville Lutheran Middle and High School - New York
Laurel School Shaker Heights – Ohio
The Oakwood School Greenville – Carolina del Nord
Parish Episcopal School Dallas - Texas
Colgate Rochester Crozer Divinity School Rochester – New York
The Winsor School Boston – Massachusetts
3 Universities
City University of New York New York City – New Yor
Kennesaw State University Kennesaw – Georgia
Fort Hays State University Hays Foundation - Kansas
3 College
Berwick Academy South Berwick
Trinity Christian College Palos Heights – Illinois
Vermont State Colleges Montpelier – Vermont
NB: in the table at the bottom of the page, which lists all the institutions involved in the data breach, the 18 new entities have already been entered.
The next update will be released at the end of March.
Exactly one year ago, on February 7, 2020, a group of hackers managed to break into Blackbaud's computer systems by stealing millions of data from the servers of the American multinational, a world leader in the cloud computing sector .
After having previously written about the Blackbaud Data Breach which involved FOUNDATIONS and HOSPITAL STRUCTURES , in this third part I will try to explain, with numbers, what were the damages suffered by Universities, Colleges and K-12 . To do this, I used data that I have collected in the last 6 months, and that I have included in a file available at the end of this article.
These are the numbers:
419 is the (partial) number of Universities / Colleges / K-12 involved in the Blackbaud Data Breach
7,674,140 is the number of people involved
172 the entities for which I can provide the definitive number of people involved
87 the entities for which I can provide the partial number of persons involved
160 entities for which I cannot provide the numbers of the people involved
A very long job that required many weeks of research within the various institutional sites of the US Attorneys General (I thank the offices of the Attorney General of the States of Indiana and New Mexico for the assistance shown), of those of the Universities , College, K-12 and crossovers and checks with thousands of data.
I thank all the institutions of the UK and Ireland for providing me with the requested data. I also thank all the Institutions who, "relying on" some articles in the "Freedom of Information Act 2000" or the "Freedom of Information (Scotland) Act 2002", have decided not to provide them to me. A legitimate choice which I respect, but which I do not agree with: transparency should be a cornerstone especially when it comes to public institutions.
On February 7, 2020, according to official statements released by Blackbaud, a group of hackers had managed to break into the company's computer systems and steal a subset of data from some servers. On May 20 , then after more than three months during which the hackers were able to act undisturbed, the Blackbaud IT staff finally detected unauthorized access within their IT structure.
On July 16, 2020, Blackbaud publishes the first press release on its website . In the first statement, which took place more than two months after the discovery of the data theft, the multinational reassured its customers by stating that no type of Personally Identifiable Information ( PII ) was affected by the Data Breach.
Blackbaud
First Blackbaud press release dated 16.07.2020
After four days, in a forum of an American nonprofit association of IT professionals in higher education , there are the first strong criticisms on the work of Blackbaud concerning above all the time spent in reporting the Data Breach, but also the scarce information provided to those directly involved. Dozens of American universities and colleges took part in the open discussion in the forum.
The discussion then continued privately, outside the public forum. Here are some screenshots.
On September 29, Blackbaud publishes a second statement denying itself, declaring that the theft of data from the subset also affects PII data including bank account information, social security numbers, usernames and / or passwords .
According to Blackbaud press release of 09.29.2020
From my research I have been able to ascertain that for many universities, colleges and K-12 data theft has also affected medical information, passport numbers, driving license numbers and Tax ID number (TIN). The research also revealed that Blackbaud, for some affected entities, had kept old backups on its servers.
The Cathedral Catholic High School of San Diego - California stated that on the servers of the American multinational there were several backups with unencrypted PII data 15 years old. At the Shady Hill School in Cambridge, Massachusetts (823 individuals affected) , unencrypted data, including PII type , was stored in a database prior to 2012 and linked to obsolete versions of the Blackbaud "Raiser's Edge" and "Financial Edge" software used by school.
For other universities, such as St. Francis Catholic High School in Sacramento - California, Delft University of Technology (60,000 people involved) and Utrecht University (6,000 people involved) in the Netherlands, the backups dated back to 2017.
In many other cases, the Institutions were unaware of the existence of databases containing unencrypted sensitive information of their staff and students kept by Blackbaud on their servers. This is the case of the Westminster School in Simsbury , Connecticut , where the PII type data of 802 people were stored on the servers of the American multinational without the school being aware of it.
Another institution that did not know of the existence of an unencrypted database containing PII information of its staff and students is the Avon Old Farms School in Avon also in Connecticut . In this case the number of people involved are 2,804
The conservation of highly sensitive unencrypted data in obsolete databases or worse, the conservation of unprotected data without the knowledge of those directly concerned, is the exact opposite of correct business management.
In addition to this we can record the bad management by Blackbaud regarding the management, the ways and above all the times of sending notifications to the Institutions affected in the Data Breach. A delay that has forced US universities, colleges and K-12 institutions to deliver notifications to their staff, students and Attorneys General, in many cases only during the last few weeks.
Here are some eloquent examples:
Bishop Moore Catholic High School Orlando, Florida (5.981 persone coinvolte)
- notifications sent on 29.01.2021 (residents in the State of Maine)
Landon School Bethesda, Maryland (4,612 people involved):
- notifications sent on 22.01.2021 (residents in the states of Massachusetts, Maine, Vermont, New Hampshire)
The Archer School for Girls Los Angeles, California (6.385 persone coinvolte)
- notifications sent on 13.01.2021 (residents in the states of Maine, Indiana, New Hampshire, Vermont)
One year later, we still don't know what the total number of entities affected is and what the total number of people whose sensitive data has been exfiltrated. Blackbaud after paying the ransom demanded by the hackers you never wanted to reveal the real impact it had on their customers, just as you never made it clear which Ransomware group it was.
Many hypotheses have been made about the name, my belief has always been that behind this cyber attack there was Maze, a group that has not been active for a few months now.
With regard to the numbers of those affected, we know with certainty that, to date, the partial figure exceeds 20 million. Not forgetting those affected in hospitals that are close to 11 million as Dissent ( @PogoWasRight ) of DataBreaches.net told us and those of the Foundations on which we have no reliable data.
In the tab below I have collected the sensitive data and the number of people involved in 419 educational institutions affected by the Blackbaud Data Breach, entities present in the US, Canada, New Zealand, UK, Ireland, Netherlands, Hungary.
