Several major San Diego nonprofits including KPBS and San Diego Zoo Global potentially lost private donor data to cybercriminals as recently as May 20.
They — along with the elite private Francis Parker School — were clients of Blackbaud, a South Carolina-based cloud computing provider (with an office in San Diego), which announced the hack.
On Wednesday, Parker notified its community members — including alumni, parents and former staff — that it learned of the ransomware attack July 16.
“The cybercriminals had NO access to Francis Parker School systems,” said an email from Shara Freeman Hoefel, assistant head of school for external relations.
The San Diego Public Library Foundation echoed what Parker said — that the intrusion didn’t access credit card information, bank account information, passwords or any other private financial data.
CEO Patrick Stewart posted: “Because being responsible stewards of your trust is a central part of the Library Foundation’s values, we thought it best to alert you that Library Foundation donor information such as contact information, names, email addresses, physical addresses and giving histories could have been part of the breach on Blackbaud’s servers.”
Parker’s Hoefel assured her community that it had no evidence that personal information was accessed or otherwise misused, “though we recommend that you remain vigilant for any suspicious activity.”
A Blackbaud spokesperson Wednesday told Times of San Diego that “we are not providing the names of those who were part of this incident; nor can we discuss any customer specifically. The majority of our customers were not part of this incident – but those customers which were have been notified.”
Blackbaud continued: “More broadly, this incident was limited to a subset of our self-hosted (or co-located) environment. No entire product line was part of this incident. This incident did not reach solutions to the public cloud environment (Microsoft Azure, Amazon Web Services), nor did it reach the majority of our self-hosted environment.”
Blackbaud’s website lists KPBS and San Diego Zoo Global as customers. They didn’t immediately respond to requests for comment. The San Diego Humane Society, also potentially a victim, said it was looking into the matter.
Francis Parker School didn’t immediately respond either.
But the San Diego Foundation, another client, said the breach largely affected users with old versions of Blackbaud software.
“Because we are utilizing the latest suite of Blackbaud tools, we confirmed with Blackbaud that no private information about donors at The San Diego Foundation was exposed,” Chief Financial Officer James Howell said in a statement. “We continue to engage with Blackbaud as it addresses this issue.”
Wednesday evening, Library Foundation Marketing Director Charlie Goldberg said: “We have sent emails to donors and are in the process of sending letters to supporters for whom we have no email address.”
He said his group was monitoring the situation and Blackbaud’s efforts to correct the vulnerability that led to this incident and to firm up its security to prevent future breaches.
A spokeswoman for the UC San Diego Foundation, also listed as a client, said: “No UC San Diego Foundation donor data was exposed, lost or stolen as a result of this breach. UC San Diego maintains donor data on campus systems and these systems were not involved in the incident at Blackbaud.”
Blackbaud said: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
A malware monitoring group put the payment at $350,000.
So, it seems a company paid 350k$ for decryption of their files. And these actors wanted more to delete the stolen files. Trash…
cc @VK_Intel pic.twitter.com/YCIA1VQOOd
— MalwareHunterTeam (@malwrhunterteam) May 13, 2020
Media reports indicate that at least 10 universities in the United Kingdom, United States and Canada had data stolen about students and/or alumni.
The Providence Journal on Tuesday said the Rhode Island College Foundation and the Providence Children’s Museum were both affected by the ransomware attack on the outside vendor.
In May 2008, Blackbaud bought San Diego computer services firm Kintera for $46 million, gaining access to Kintera’s 3,900 customers, including the American Lung Association, the Lance Armstrong Foundation and Big Brothers Big Sisters of America.
Updated at 5:37 p.m. July 29, 2020