[BreachExchange] Blackbaud Expects Cyber Insurer Will Cover Most Attack Costs

[Destry Winant]

https://www.govinfosecurity.com/blackbaud-expects-cyber-insurer-will-cover-most-attack-costs-a-15298

As the list of customers reporting data breaches tied to the May
ransomware attack on Blackbaud continues to surge, and related legal
actions against the company grow, the cloud-based fundraising software
vendor recently told Wall Street that it expects cyber insurance to
cover the bulk of its costs associated with the incident.

During an Oct. 30 call with financial analysts to discuss the
Charleston, South Carolina-based vendor's third quarter earnings,
Blackbaud executives also said the company has fixed a weakness in one
of its older products linked to the cyber incident.

"Through our forensics investigation, we were able to understand
exactly how this [cyberattack] occurred and we've remediated the
vulnerability, which was tied to one of our early generation
products," Michael Gianoni, Blackbaud president and CEO told analysts,
according to a transcript of the call.

The company is "incorporating lessons learned from this incident to
continue improving on our cybersecurity program and further harden our
environments while being transparent with our customers on our
progress," Gianoni told the financial analysts.

"These types of cyber threats are on the rise, and over the last
several years Blackbaud has invested significantly in terms of
dollars, and human resources to enhance our cyber security program and
preparation for an attack like this."

Growing List of Victims

Blackbaud did not immediately respond to Information Security Media
Group's request for details regarding the "early generation product"
that contained the security vulnerability leading to the incident.

Blackbaud also declined ISMG's request for information regarding its
customers, including those in the healthcare sector, impacted by the
incident.

"We aren't disclosing the total number of customers - or any segment -
involved in the incident, and we cannot provide the names of those who
were part of this incident nor can we discuss any customer
specifically," Blackbaud told ISMG in a statement. "Those customers
which were part of this incident have been notified."

However, to date, based on data breach notifications and other
disclosures, at least 250 U.S.-based organizations - including
healthcare entities, educational institutions and non-profits - were
impacted by the Blackbaud incident, says Jim Van Dyke, CEO and founder
of security firm Breach Clarity.

A snapshot on Tuesday of the Department of Health and Human Services'
HIPAA Breach Reporting Tool website - along with notification
statements issued by the breached entities - shows that at least four
dozen healthcare sector organizations were affected by the Blackbaud
hacking incident.

The HHS website lists HIPAA breaches impacting 500 or more individuals.

In total, the website indicates that Blackbaud-related healthcare
sector breaches have affected about 10 million individuals.

Wide Reach

But it was not just U.S. based entities impacted by the incident.
Other victims of the Blackbaud attack also include organizations in
Canada, Europe and New Zealand (see: Blackbaud's Bizarre Ransomware
Attack Notification).

"Organizations that suffered breaches of their data via service
provider Blackbaud had a wide variety of personal victim data exposed,
and it could be quite a while before all legal and other costs are
settled."
—Jim Van Dyke, Breach Clarity

"Organizations that suffered breaches of their data via service
provider Blackbaud had a wide variety of personal victim data exposed,
and it could be quite a while before all legal and other costs are
settled," Van Dyke says. "Notably, the breaches exposed a wide variety
of personal data, each with unique predicted risks and prescribed
action steps."

But in the recent earnings call with financial analysts, Blackbaud
executives appeared confident that the company's insurers would cover
most of the costs associated with the incident.

"We have good insurance in place - our insurers are working with us
very closely. The key there is coordinating with them and make sure
we're clear on what they're covering or not going to cover," Anthony
Boor, Blackbaud chief financial officer, told the analysts.

"At this point ... we believe insurance is going to cover the majority
of it, other than our internal resources and time. ... The big thing,
I think that you'll see probably in our numbers is just our continued
investment in our cybersecurity resources internally," Boor says.

Blackbaud's Numbers

Blackbaud's 10-K filing with the U.S. Securities and Exchange
Commission for the third quarter ended Sept. 30, shows that the
company reported total revenue was $215 million, down 2.8% from the
same period in 2019, and net income of $4.9 million, up less than 1%
from the same quarter last year.

But the filing also provides a look at the expenses that Blackbaud has
laid out so far in the wake of the incident, as the company awaits
reimbursement from its insurers.

During the quarter, Blackbaud says it recorded $3.2 million of
expenses and $2.9 million of accrued insurance recoveries related to
the security incident. For the nine months ended Sept. 30, the company
recorded $3.6 million of expenses and $2.9 million of accrued
insurance recoveries related to the security Incident.

"Recorded expenses consisted primarily of payments to third-party
service providers and consultants, including legal fees, and
enhancements to our cybersecurity measures," the company's SEC filing
notes.

"Due to the time required to submit and process such insurance claims,
we have not yet received any of the accrued insurance recoveries," the
company notes.

"We expect to continue to experience increased costs related to our
response to the security Incident and our efforts to further enhance
our security measures," the company's filing notes.

Legal Battles

Blackbaud is also facing a number of lawsuits and regulatory
investigations related to the security incident that "in the future
that might result in adverse judgments, settlements, fines, penalties,
or other resolution," the company's quarterly filing with the SEC
notes.

"Although we carry insurance policies that we believe will provide
coverage for a significant portion of our current and expected future
losses and expenses related to the security incident, there can be no
assurance that they will do so."

To date, Blackbaud has received approximately 160 legal claims from
customers or their attorneys in the U.S., U.K. and Canada related to
the cyber incident, the company notes.

In addition, the company currently faces 23 punitive consumer class
actions, including 17 in U.S. federal courts, four in U.S. state
courts and two in Canadian courts, each alleging harm from the
security incident, Blackbaud says in its SEC filing (see Blackbaud
Ransomware Breach Victims, Lawsuits Pile Up).

"Lawsuits that are putative class actions require a plaintiff to
satisfy a number of procedural requirements before proceeding to
trial. ... As a result of these uncertainties, we may be unable to
determine the probability of loss until, or after, a court has finally
determined that a plaintiff has satisfied the applicable class action
procedural requirements."

"Obviously, we got these guys in the midst of their efforts - they
weren't able to take over our systems ... but it's still going to be
painful to work through."
—Anthony Boor, Blackbaud

Besides the lawsuits, Blackbaud notes that it is facing a variety of
governmental inquiries related to the incident.

So far that includes a consolidated, civil investigation into the
security incident by 43 U.S. state attorneys general, plus the
District of Columbia; as well as inquiries by the U.S. Federal Trade
Commission and HHS.

Internationally, Blackbaud also says it faces inquiries from the
Information Commissioner's Office in the U.K. under the U.K. Data
Protection Act 2018, the Office of the Australian Information
Commissioner and the Office of the Privacy Commissioner of Canada.

"We are cooperating with these offices and responding to their
inquiries," Blackbaud says in the SEC filing.

Breach Details

Blackbaud in a data breach notification first posted on its website on
July 16, says ransomware-wielding attackers managed to exfiltrate and
encrypt customer data in May.

Blackbaud also acknowledged in its breach notification that it paid an
undisclosed ransom to cybercriminals in exchange for them ensuring
that any copies of the data stolen were destroyed.

"After discovering the attack, our cybersecurity team - together with
independent forensics experts and law enforcement - successfully
prevented the cybercriminal from blocking our system access and fully
encrypting files and ultimately expelled them from our system," the
notification said. (See: Questions Persist About Ransomware Attack on
Blackbaud).

However, in a form 8-K Blackbaud filed with the SEC in September, the
company said its forensic investigation found that for some of the
notified customers, "the cybercriminals may have accessed some
unencrypted fields intended for bank account information, Social
Security numbers, usernames and/or passwords." (See: Blackbaud:
Hackers May Have Accessed Banking Details).

But during the analyst call last week, Blackbaud CFO Boor said the
company did a "great job" containing the incident.

"Obviously, we got these guys in the midst of their efforts - they
weren't able to take over our systems, but I think that was great, but
it's still going to be painful to work through, but there'll be plenty
of disclosure on the topic in the financials and we will certainly
build any estimated cost we would incur into the 2021 plan," he said.

Based on the investigation into the incident so far, "we have no
reason to believe that any data went beyond the cybercriminal, was or
will be misused, or will be disseminated or otherwise made available
publicly," Blackbaud says in its quarterly filing. "Our investigation
into the security incident by our cybersecurity team and third-party
forensic advisors remains ongoing."

Impacted Customers

Meanwhile the list of healthcare organizations impacted by the
incident continues to grows.

Among the most recently added Blackbaud-related incidents posted to
the HHS Office for Civil Rights' tally of major HIPAA breaches are
reports filed by:

Florida-based Moffitt Cancer Center, with nearly 96,000 individuals affected;
Illinois-based OSF HealthCare System with about 94,200 individuals impacted;
Pennsylvania-based Geisinger with more than 86,400 individuals impacted.

So far the largest health data breach related to the Blackbaud
incident was reported by Virginia-based Inova Health System in
September, with more than 1 million individuals affected (see: Tally
of Those Affected by Blackbaud Hack Soars).