Table of contents
Table of contents
As an organization or individual doing social good, it may seem like youâre not on the radar of cybercriminals. After all, these bad actors tend to strike well-known Fortune 500 companies and for-profit businesses. Companies like Facebook, Yahoo, Adobe, Equifax, Quora, and Canva have all been victims of massive data breaches in recent years.
But the Blackbaud data breach proved that this couldnât be further from the truth. In 2020, more than 120 nonprofits using Blackbaudâs fundraising platform and services learned their sensitive data was stolen and held hostage in a ransomware attack. Millions of donors, customers, patients, and staffers were affected, and the attack went on to become the largest healthcare data breach of 2020.
Now more than ever, nonprofits need to understand how to protect themselves and their supporters.
Weâre here to help. In this article, weâll examine the Blackbaud data breach as a cautionary tale, discuss the rise of cyberattacks on nonprofits, and give you five practical ways to shield your organization from future data breaches.
The Blackbaud data breach: What happened?
Blackbaud is a South Carolina-based software company and one of the largest nonprofit technology companies, which made the breach big news. With a mission to help social good companies do more, Blackbaud provides tools like Raiserâs Edge fundraising software and CRM systems, marketing tools, financial support, and more.
In May 2020, Blackbaudâs cybersecurity team discovered that a ransomware attack had been in progress since February 2020. In this type of cyberattack, criminals steal important data to prevent the organization from being able to operate as usual. There are two common scenarios:
- Scenario 1: Cybercriminals infiltrate your system and encrypt sensitive information â like email addresses, medical history, bank account details, or trade secrets. They turn your data into a code that your team canât decipher.
- Scenario 2: Cybercriminals infiltrate your system and make a copy of your sensitive information and threaten to publish or sell it to other criminals, competitors, or countries on the dark web.
The attackers make a ransom demand, usually for money or cryptocurrency like Bitcoin. In return, they promise to unencrypt the original data or permanently destroy the copied data. Note the word âpromise.â Sometimes, even when the victim pays, ransomware groups still sell the data.
Blackbaudâs response to the data breach đŹ
Once they identified the attack, Blackbaudâs Cyber Security team partnered with forensics experts and law enforcement. They stopped the ransomware group from encrypting their data (i.e., Scenario 1) and kicked them out of their system. However, the criminals managed to make a copy of a subset of data before they were removed (i.e., Scenario 2), and demanded a ransom to delete the stolen data.
Blackbaud decided to pay the ransom, and the cyberattackers assured their team that all their copies were permanently destroyed. Blackbaud also hired experts to monitor the dark web in case the information was sold, but said they havenât seen any evidence to suggest it.
Fallout from the Blackbaud data breach đ„
In July 2020, Blackbaud first notified customers of the breach. Although the company stopped part of the ransomware attack, many Blackbaud users were upset. The biggest criticism was that the attack began in February, wasnât detected until mid-May, and users werenât notified until July.
At first, Blackbaud claimed that bank account information, Social Security numbers, usernames, and passwords werenât compromised, but later reversed this. As of February 2021, Blackbaud is facing more than 20 lawsuits and class action cases over the breach.
Nonprofits have called Blackbaud ânegligentâ and claimed they violated the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act, and General Data Protection Regulations (GDPR) in Europe.
Who was affected by the cyberattack?
The ransomware group targeted a wide range of nonprofit organizations, both in the U.S. and internationally, including the following:
- Healthcare organizations
- Charities
- Human rights organizations
- Universities and colleges
- Churches
- Food banks
- Trusts for historical buildings
- Nonprofit radio stations
(If youâre wondering if any of your data was compromised, you should have received word by now.) Some of the most well-known names in the attack include Planned Parenthood, Human Rights Watch, Boy Scouts of America, the George W. Bush Presidential Center, and the Rhode Island School of Design.
Estimates put the number of victims at over 10 million individuals. Theyâre mostly users, members, patients, donors, volunteers, prospects, and employees of the nonprofits.
What information was stolen?
During the roughly four months that cybercriminals had access to Blackbaudâs system, they accessed a variety of personal data. This included:
- Full names
- Dates of birth
- Phone numbers
- Mailing addresses
- Email addresses
- Donation history (amounts, dates, etc.)
Then, in September 2020, Blackbaud told a smaller group of customers that more of their data may have been stolen, including:
- Social Security numbers
- Bank account information
- Credit card information
- Usernames
- Passwords
In the hands of criminals, this personal data makes supporters vulnerable to identity theft.
It also leaves them wide open for phishing attempts, when a criminal sends a message that looks like itâs from a legitimate person or business and asks them to do something, like update their personal information, click on a virus-infected attachment, or send money.
Why nonprofits are increasingly at risk for cyberattacks
Cybercriminals thrive on chaos and confusion, and there was no shortage of that during the height of the COVID-19 pandemic. Ransomware attacks were especially effective. According to a CrowdStrike survey, six in 10 organizations suffered a ransomware attack in 2020.
Many nonprofits are dealing with fewer donations and revenue struggles due to COVID while still trying to fulfill their missions. That means investing in cybersecurity is low on the priority list, which raises the risk of cyberattacks. Victims may be more likely to pay the ransom so theyâre able to fundraise and serve their community.
In addition, the quick shift to remote work and digital fundraising has many nonprofit teams using some software tools for the very first time. If they arenât trained in cybersecurity best practices (like strong passwords or safe email usage) each account and device acts like a weak link in the chain.
The Blackbaud incident shows how one bad actor can put millions of people â including your amazing clients and supporters â at risk. A data breach can also lead to downtime, loss of customers, reputational damage, and legal troubles.
But itâs not all doom and gloom. Letâs look at ways to stay one step ahead of cybercriminals.
5 cybersecurity measures to prevent and prepare for data breaches
The best defense is prevention.
Below, weâll cover a combination of internal and external cybersecurity tactics to protect your organizationâs data. Unfortunately, not every cyberattack is preventable, but you can limit the damage with these steps.
1. Choose a secure fundraising platform đ»
Start at the source! At a minimum, make sure your fundraising platform uses payment encryption technology (Givebutter uses the very best) and stays up-to-date with technology regulations and advances.
Donât be afraid to ask questions when youâre evaluating a new platform. Is your data automatically backed up in multiple locations? Do they have a plan for different security incidents? What technical support is available? Are your donations protected?
2. Outsource your cybersecurity needs đ„
Often, itâs best to leave it to the experts. Consider hiring an on-site or virtual cybersecurity team that specializes in nonprofits. They can research, test, and use cutting-edge technology solutions to keep your organization secure.
If you already have an IT consultant or department, get their feedback. Do they feel they have all the resources they need to protect your organization from data security risks?
3. Schedule regular cybersecurity risk assessments â°
A cybersecurity risk assessment is like an annual check-up for your nonprofit. Itâs usually performed by IT staff or security firms and clues you into any weaknesses in your network, software (like your fundraising platform), or devices.
Itâs the perfect way to head off security threats, but only 30% of nonprofits have run one before. If youâre looking for an immediate way to boost your security, a cybersecurity risk assessment is the place to start.
4. Have guidelines and protocols in place đ
Are you part of the 80% of nonprofits that donât have a policy to address cyberattacks? Every organization needs to create a clear, specific plan for how theyâll respond in these stressful, fast-moving situations. Instead of wondering what to do, your team can act quickly and effectively, limiting fallout and maintaining the trust of your supporters.
Not sure how to approach this? This is another great opportunity to consult with a cybersecurity team and come up with guidelines specific to your needs.
5. Train your employees on safe usage đ
Can your employees recognize the difference between a real and fake email from their co-workers? Do they know how to create strong, unique passwords?
Employee awareness and training is essential to reducing risk. Even the savviest tech wizards need to brush up on cybersecurity best practices every year, especially if youâre in a high-risk industry like healthcare. You can outsource this to an IT team or search for courses online like this Security 101 training.
A more secure future
As nonprofit operations increasingly move online, relying on technology can sometimes feel a little like this:
However, the biggest cybersecurity risk your nonprofit faces is thinking that a cyberattack canât happen to you. As the Blackbaud data breach showed, cyberattacks can and do happen, whether criminals directly target your organization or go after the websites, tools, and partners you use.
Fortunately, there are many simple, protective measures you can utilize to lower the chance of attacks and make them less effective. Youâre on your way! Weâve covered the most important steps in this article: Pick a secure fundraising platform, consult the experts, set up cybersecurity risk assessments, train your employees, and have a response plan.