TAMPA, Fla. — A software and data management company used by some of the nation’s leading nonprofits is now at the center of an FBI probe into how donor information ended up in the hands of cybercriminals.
You’ve probably never heard of Blackbaud, but the company may have handled your personal information.
Blackblaud claims its products are used by thousands of nonprofit organizations to manage more than $100 billion in charitable donations each year.
“You’re talking about a company of significant size that hosts and holds significant amounts of data for countless organizations around the world,” said Kevin Hughes, Vice President of Development for the New College Foundation in Sarasota.
If you’ve ever been a member or donated to some of the Tampa Bay area’s biggest organizations, Blackbaud has likely processed your name, address and credit card information.
Blackbaud’s client list includes local groups like Zoo Tampa, the Florida Aquarium, the Tampa Metropolitan Area YMCA and the Boys and Girls Clubs of Tampa Bay.
National organizations such as the American Heart Association and Special Olympics also use their products, as do a number of local foundations supporting schools, universities and hospitals.
“It was on July 16, that we received an email from Blackbaud notifying us that a security breach had taken place,” said Hughes of the New College Foundation. “Hackers had accessed their system and had been holding some of the data for ransom.”
Blackbaud declined an on-camera interview, but said in a statement, “We discovered and stopped a ransomware attack… and prevented the cybercriminal from blocking our system access.”
Blackbaud also said hackers removed data from their clients’ databases before the attack was detected.
Miami attorney Al Saikali, who specializes in privacy and data security, said he started hearing from clients immediately after Blackbaud notified them.
“My clients are universities, educational institutions, nonprofit organizations that use Blackbaud to collect information about donors,” Saikali said.
He says Blackbaud notified his clients their data was potentially compromised.
“They stole information, buckets of information. And so they have that in their possession. Now what the bad guys said was ‘if you pay us a ransom, we will destroy the stuff that we stole from you,’" said Saikali.
Saikali says some of that stolen information contained encrypted financial information that the cybercriminals couldn’t access, including Social Security numbers, credit cards and banking information.
But the rest of the information they took – could include your name, birthday, home address, phone number, email address, donation history and estimated net worth.
Blackbaud said it ended up paying the ransom, saying in a statement, “Because protecting our customers’ data is our top priority, we paid the cybercriminals' demand with confirmation that the copy they removed had been destroyed.”
But Saikali says he’s skeptical.
“A criminal telling me they deleted the stuff that they stole, I’m not just going to take them at their word,” he said.
Retired U.S. Secret Service agent and cybersecurity expert Gus Dimitrelos agrees.
“If it wasn’t valuable, the company would have just not paid,” Dimitrelos said.
He says if the data wasn’t actually destroyed, it could be used to launch email phishing attacks.
“This is very direct financial information targeting individuals who have money,” Dimitrelos said.
Dimitrelos says he’s also concerned that Blackbaud waited months after the breach to notify those affected.
“This company should have come out within 30 days of that to alert people,” he said.
The I-Team uncovered breach notification requirements vary from state to state.
Here in Florida, companies are required to notify you within 30 days if hackers seize your name along with either your Social Security number, driver’s license number, credit card number or banking information.
After we reached out to a number of local organizations to ask about the breach, the Florida Aquarium and the Crisis Center of Tampa Bay sent out emails notifying their members.
“We’re certainly very concerned for the coming months, certainly into 2021. We know that funding is going to be incredibly difficult for all of us,” said Crisis Center C.E.O. Clara Reynolds.
She says the breach couldn’t come at a worse time, since charities are seeing an increase in the need for services and many had to cancel their annual fundraisers due to the pandemic.
“We found out through you that this had happened,” Reynolds said.
She says they reached out to Blackbaud in early August and they informed her they had notified the organization in an email in July.
“We actually had to scrub our archives in the junk mail to be able to find it,” Reynolds said.
The Spring of Tampa Bay and The New College Foundation also notified donors.
“We sent out a communication on July 23 to all our constituents for whom we do have an email address. That was over 14,000 individuals,” said Hughes.
Blackbaud has said it’s now working with the FBI to try to uncover how this happened and the identity of these hackers.
Here are some of the organizations that were notified of the breach and how they responded:
New College Foundation sent this email to donors:
We are writing today to inform you about a data security incident that occurred with New College Foundation’s database provider, Blackbaud. We were alerted that there may have been a data breach which may have involved your personal information. We apologize for writing without all the details, but want to share with you what we know today.
What happened: New College Foundation uses a fundraising database management system, Blackbaud, that provides services to 25,000+ clients in 60 countries. Blackbaud informed its clients on July 16 that it was the subject of a “ransomware” attack by cybercriminals.
What does that mean?: It is important to note that New College Foundation does not store credit card or social security numbers on our database. It appears that cybercriminals did access back-up files among Blackbaud’s 25,000 clients. Blackbaud has informed us that the data could include names, addresses, dates of birth, and giving history for donors.
Blackbaud has further informed its clients, including the New College Foundation, that it is confident – based upon the work of its third-party security consultants and legal teams – that the hackers destroyed the back-up files they accessed. Blackbaud has also informed us that it has no reason to believe that any data was, or will be, misused or disseminated. The FBI has begun an investigation aimed at finding the hackers who conducted the attack.
What happens next? As mentioned above, Blackbaud reports it was able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. It has confirmed through testing by multiple third parties, including the appropriate platform vendors, that its fix withstands all known attack tactics.
As part of its ongoing efforts to help prevent something like this from happening in the future, Blackbaud has implemented several additional changes that will protect your data from any subsequent incidents, and is accelerating its efforts to add additional security measures.
What you can do: According to Blackbaud, there is nothing you need to do to protect your information further. We are sharing these details with you in an abundance of caution so that you are aware of the situation. As a best practice, we recommend that you always remain vigilant of any possible suspicious activity.
The New College Foundation is working with my office and the New College Chief Audit Executive/Chief Compliance Officer to investigate these matters further. If we learn anything else from our investigation that leads us to believe there are further steps you need to take, we will be in touch with you immediately.
Thank you for your support of New College. We are very sorry about any concern or inconvenience this may cause. Please know that the New College Foundation takes cybersecurity very seriously and demands that same vigilance from our vendors.
If you have further questions, please do not hesitate to contact me directly and/or call the New College Foundation at 941-487-4800. We will be happy to talk with you.
Florida Aquarium sent the following email to donors and members:
We were recently made aware of a security data incident with one of our software providers, Blackbaud, and we wanted to make sure you were aware of this unfortunate occurrence that may have involved your personal information. The data incident only applies to Blackbaud’s computer software and systems, not The Florida Aquarium’s. It is our understanding from Blackbaud that their Cyber Security team, along with law enforcement and independent forensics experts, stopped the cyberattack, and took swift action to fix the problem. Blackbaud has confirmed through testing by multiple third parties, including the appropriate platform vendors, that this fix withstands all known attack tactics.
The Florida Aquarium takes our obligation to safeguard your personal information extremely seriously. The only information we store on the Blackbaud cloud system is contact information, general demographics and history of our relationship as appropriate for each account, and we have been have assured that all sensitive information is encrypted and no credit card information or bank account information was ever obtained. Upon learning of the incident, we immediately assessed our internal information to ensure none of our systems were compromised (which they were not), verified our encryption process for storing any sensitive information, and insisted Blackbaud notify us of any developments pertaining to this incident. We will continue to evaluate our data storage protocols to further increase the safety and security of all personal information. Blackbaud does not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly, but as a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. As a reminder, The Florida Aquarium does not request or solicit direct deposit donations or payments, and any official communications from The Florida Aquarium would originate from our email@example.com email address.
We apologize for any unease this may cause, but again, we have been assured by Blackbaud that no credit card or financial information was obtained. Should you have questions, please don’t hesitate to reach out to our customer service representatives via email at firstname.lastname@example.org.
Sincerely, The Florida Aquarium
The Crisis Center of Tampa Bay email to supporters:
Dear Crisis Center of Tampa Bay Supporter:
We value you and your support as a member of the Crisis Center family. With that in mind, and to ensure we are continuing to build trust and transparency, we wanted to make you aware of a security breach experienced by our fundraising and donor software provider, Blackbaud, that was recently reported to us. Crisis Center donor records could include donors’ names, physical addresses, phone numbers, birthdates, and donor profile information, such as giving history.
Any credit card information on file with the Crisis Center is encrypted and is not stored within this software system.
Here’s a brief summary from Blackbaud:
In its notification, Blackbaud indicated that certain financial-giving records were included among the data potentially impacted by the recent incident. Such records could include donors’ names, physical addresses, phone numbers, birthdates, and donor profile information, such as giving history. According to Blackbaud, sensitive personal information, such as Social Security numbers and credit card data, was not impacted as a result of the Blackbaud incident. Moreover, the Crisis Center of Tampa Bay does not capture donor Social Security numbers.
The Crisis Center is maintaining regular contact with Blackbaud to ensure we can be immediately informed of any further developments and will inform you of any new information we receive. As an organization we use encryption for all sensitive information.
Your trust and security are of the highest priority. If you should have questions, please don’t hesitate to reach out to Jennifer Moore at email@example.com.
Thank you for helping us ensure that no one in our community faces crisis alone!
Pace Center for Girls Statement:
“In July, we became informed that our trusted software vendor Blackbaud, responsible for our donor database, had discovered a ransomware attack on its systems. Blackbaud is a well-respected provider of cloud and data services used by more than 25,000 organizations, as well as other non-profits. Upon working with Blackbaud to understand the effects of this attempted violation, we took immediate action to alert our Pace donors. At this time, Pace has no reason to believe that the sensitive personal information of our donors has been breached or misused and will continue to work closely with Blackbaud to monitor the situation and provide updates to our donors as they become available to us.”
Community Foundation of Tampa Bay:
The Community Foundation of Tampa Bay uses Blackbaud products and we were notified by Blackbaud recently that a ransomware compromise had occurred. We contacted Blackbaud for more information through the dedicated phone number they provided us. We were told that only names and email addresses were taken but destroyed before the information could be used illegally. Also, because the Foundation does not store private financial information in our database, we are confident that our fundholders were not affected and have notified them of the incident.
March of Dimes:
March of Dimes Inc. takes the protection and proper use of donor information very seriously. The organization was recently notified by one of its database providers, Blackbaud, of a security incident in which they stopped a ransomware attack. During the attack, the intruders removed files from Blackbaud's platform, which hosted data for hundreds of colleges, universities, health care organizations, schools, charities and other non-profit organizations, including March of Dimes. Blackbaud believes the breach occurred between February and May 2020. Blackbaud discovered the incident in May, conducted an investigation, and notified March of Dimes on July 16, 2020.
March of Dimes determined that the compromised file contained data about its donors. While the review of the data is ongoing, the data file included donors' names and titles, addresses and contact details (e.g., phone numbers and e-mail addresses), philanthropic interests, some donation history and dates of birth.
March of Dimes and Blackbaud believe there is a low risk that the data will be misused. Blackbaud worked with law enforcement and third-party experts to investigate and resolve this incident. Blackbaud paid the intruder using a third-party expert who confirmed that any data copied had been destroyed. An expert retained by Blackbaud continues to scan the web and has not found any exposed data from this incident online. Blackbaud plans to continue such monitoring activities for the foreseeable future and has committed to alerting March of Dimes if they find any of its donor data. More information about this incident is available on Blackbaud's website: https://www.blackbaud.com/securityincident
March of Dimes sincerely apologizes to its donors for this incident and regrets any inconvenience it may cause them.
Tampa General Hospital Foundation:
As a non-profit academic medical center, Tampa General Hospital is grateful for all donations we receive. TGH’s Foundation uses the Blackbaud online donor platform, and was made aware of Blackbaud’s data breach. Because TGH does not store any sensitive information on this platform, no sensitive information was compromised. A full investigation was conducted by Blackbaud, as well as our internal Information Technology Cybersecurity, confirming the integrity of TGH donor data was intact and not compromised.
Berkeley Preparatory School:
We were notified a few weeks ago. Blackbaud sent us detailed instructions of the steps to be taken to learn if any of our information had been compromised. We were lucky. The review indicated private information about donors was not taken in the cyberattack. We don’t keep credit card numbers on file. After the reported breach, we deleted all donor Social Security numbers from our system.
Jesuit High School:
We conducted a full review of our database and determined no donor information had been compromised.
Tampa Metropolitan Area YMCA:
We were notified of the breach on July 16th. We were told none of our donors were affected. We don’t have any credit card information stored on a Blackbaud server.
SPCA Tampa Bay:
We were notified of the incident July 16th. We are working with our IT department and legal team to determine how to respond.
American Heart Association:
We were notified in mid-July databases were compromised. About two percent of donors were affected. The information the hackers accessed was mostly publicly available information, like names, addresses, emails and phone numbers. Credit card and Social Security numbers were not compromised. We notified those whose information was compromised.
The Spring of Tampa Bay:
We value you and your support as a member of The Spring family. With that in mind, and to ensure we are continuing to build trust and transparency, we wanted to make you aware of a security breach experienced by our fundraising and donor software provider, Blackbaud, that was recently reported to us.
In its notification, Blackbaud indicated that certain financial-giving records were included among the data potentially impacted by the recent incident. Such records could include donors’ names, physical addresses, phone numbers, birthdates, and donor profile information, such as giving history. According to Blackbaud, sensitive personal information, such as Social Security numbers and credit card data, was not impacted as a result of the Blackbaud incident. Moreover, The Spring does not capture donor Social Security numbers.
What Blackbaud Did
Because protecting customers’ data is their top priority, our third-party service provider paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
The Spring is maintaining regular contact with Blackbaud to ensure we can be immediately informed of any further developments and will inform you of any new information we receive. As an organization we use encryption for all sensitive information.
Your trust and security are of the highest priority. If you should have questions, please don’t hesitate to reach out to Ellen Boczarski at firstname.lastname@example.org or 813-247-5433.
If you have a story you'd like the I-Team to investigate, email us at email@example.com