The cloud-based service provider Blackbaud last week updated its story about a cyberattack affecting its servers earlier this year, noting that hackers had gained access to unencrypted banking information and Social Security numbers for some of its customers. And while philanthropic organizations around the world have been affected by the attack, the company has declined to share publicly how many universities were involved in a breach now known to be more serious than previously reported.
In an email to EdScoop, a company spokesperson said Blackbaud is not publicly disclosing the identities of the affected organizations, and has instead chosen to notify them each privately.
“To respect the privacy of our customers, we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically,” the spokesperson wrote.
The company also said “the majority” of its customers were not affected by the incident, though dozens of organizations — including universities, nonprofits and hospitals — have announced that their customers’ data was exposed by the cyberattack in some way. (Bloomberg Law reported Tuesday that two patients of New York hospitals have filed lawsuits against Blackbaud, claiming the company violated state consumer protection laws and did not comply with data-protection standards.)
Blackbaud wrote in a Sep. 29 blog post that hackers removed data from the company’s private cloud environment.
“Forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” the company’s website reads.
Blackbaud’s statement also said the company paid the cybercriminal’s demand after receiving confirmation that the stolen information had been destroyed.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” the statement read.
In a blog post from July 16, which has since been revised, Blackbaud said the compromised data did not contain financial or Social Security information. An old version of the announcement indicated that the hack took place over the course of several months, from February to May, but that information has also been removed from the company’s website.
Some of the affected universities are known, but it’s unclear which, if any, saw their financial or Social Security data exposed. The California State University system told EdScoop earlier this year that the breach may have affected any of its 23 campuses. Other university customers listed on Blackbaud’s website include the University of Notre Dame, University of South Dakota, University of Central Arkansas and Wake Tech Community College in Raleigh, North Carolina.
Days after the initial disclosure, the BBC reported another dozen organizations had been affected by the data leak, including the Rhode Island School of Design and a handful of universities based in the U.K., such as University of Leeds and University of York.
Blackbaud customers also include organizations as wide-ranging as the Sacramento Zoo, the Catholic Diocese of Trenton and the University of London.
Colin Wood contributed reporting.