[BreachExchange] Blackbaud Confirms Hackers Stole Some SSNs, as Lawsuits Increase

[Destry Winant]

https://healthitsecurity.com/news/blackbaud-confirms-hackers-stole-some-ssns-as-lawsuits-increase

September 30, 2020 - The ransomware hackers behind the massive
Blackbaud ransomware attack and subsequent data breach likely had
access to more unencrypted data than previously disclosed, including
bank account information, Social Security numbers, usernames and or
passwords, according to a recent Securities and Exchange Commission
filing.

In addition, several of the millions of breach victims have filed
lawsuits against the vendor.

Blackbaud is a cloud computing vendor for nonprofits, foundations,
corporations, education institutions, healthcare entities, and change
agents. Beginning in mid-August, the vendor began notifying some of
its clients that it had fallen victim to a ransomware attack, and the
hackers exfiltrated data prior to launching the malicious payload.

The hack on its self-hosted environment lasted from February 7, until
it was discovered by Blackbaud on May 20. During that time, the threat
actors stole sensitive data from donors, potential donors, patients,
community members with relationships with the entity, and other
individuals tied to the impacted organizations.

The breached data varied by entity: for Northern Light Foundation in
Maine, the affected data included names, contact details, and
birthdates of 657,692 individuals. Other impacted entities included
the Children’s Hospital of Pittsburgh Foundation, Saint Luke’s
Foundation (360,212), MultiCare Foundation (300,000 total individuals,
of which 179,189 are patients), Main Line Health (60,595), Spectrum
Health (52,711), and Northwestern Memorial HealthCare (55,983).

The largest client affected by the Blackbaud breach is Inova Health
System in Virginia with 1 million individuals included in the tally.
In recent weeks, other organizations have been added to the tally:
Enloe Medical Center, Roper St. Francis Healthcare, NorthShore
University Health System in Illinois, Harvard University, University
of Kentucky HealthCare, the Guthrie Clinic, and Atrium Health, just to
name a few the reported 25,000 impacted clients.

So far, more than 6 million individuals have been added to the breach tally.

Blackbaud paid the ransom demand “with confirmation that the copy they
removed had been destroyed.” And at the time of the initial reports,
the vendor stressed that banking information, SSNs, and other more
sensitive data was not included in the breached servers – but that may
not be the case.

“After July 16, further forensic investigation found that for some of
the notified customers, the cybercriminal may have accessed some
unencrypted fields… In most cases, fields intended for sensitive
information were encrypted and not accessible,” according to the SEC
filing.

At the moment, it’s unclear which hacking group was behind the attack
but many groups have taken to the double extortion technique made
popular by Maze hackers, including NetWalker, REvil, Sodinokibi, Pysa
or Mespinosa, and Suncrypt, among others.

These attacks can lead to a host of issues, including identity theft
and fraud, as well as later attacks on these individual victims.

In response, at least 10 separate class-actions lawsuits have been
filed against Blackbaud, including in the US District Court of South
Carolina in Charleston, US District Court Western District of
Washington, and the California Central District Court.

The victims alleged Blackbaud was negligent and breached its contract
and that individuals are now at a heightened risk of identity theft
and fraud. Another lawsuit argues that Blackbaud demonstrated an
“unreasonable lack of oversight and lax security measures.”

Blackbaud is also accused of failing to timely notify breach victims
of the incident and its impact, as well as “failing to properly
monitor the computer network and systems that housed the private
Information; failing to implement appropriate policies; and failing to
properly train employees regarding cyberattacks.”

“Had Defendants properly monitored their networks, security, and
communications, they would have prevented the data breach or would
have discovered it sooner,” according to the lawsuit filed in the
District of Washington.

The lawsuits seek to “recover damages, restitution, and injunctive
relief” on behalf of breach victims, which claim were a direct result
of Blackbaud’s “unreasonable and deficient data security practices.”

A lawyer representing the individual who filed the lawsuit in the
Washington district court has filed a motion to consolidate these
lawsuits into one.

Meanwhile, Michigan Attorney General Dana Nessel has urged residents
to watch out for fraudulent emails or phone calls seeking personal
information or suspicious donation requests, in light of the Blackbaud
breach reports.

“Personal information with this level of detail, in the hands of
fraudsters, is particularly susceptible to spear phishing – a
fraudulent email to specific targets while purporting to be a trusted
sender, with the aim of convincing victims to hand over information or
money or infecting devices with malware,” Nessel warned.

“Anyone who receives a notification letter regarding the Blackbaud
data breach should not dismiss the letter and should not only take the
recommended steps in the notice,” she added. “Recipients, and others,
should also remain vigilant for suspicious emails, texts or phone
calls asking for personal information, donations or other payments.”

Nessel released a similar notice in 2019 after third-party vendor
Wolverine Solutions reported that at least 600,000 state residents
were affected by a ransomware attack.