Data Breach Impacts Donors at Hundreds of Nonprofits
Last updated October 1, 2020
For several months now, my wife and I have been getting letters from various charities we support, telling us that “out of an abundance of caution” they want us to know about “a data security incident” that may have exposed some of our personal information.
These breach notice/apology letters indicate the charities’ own networks weren’t breached during this incident. Hackers targeted Blackbaud, the global cloud computing company they used to process donations and store donor information. Because Checkbook manages its own fundraising program, our donors aren’t affected by this breach.
Blackbaud, which is being sued about this breach, has not shared much information about the number of organizations affected by the attacks, nor how many people are at risk of becoming identity theft victims.
The Identity Theft Resource Center (ITRC) is tracking the breach. As of Sept. 30, it knew about 242 organizations that were hacked––nonprofits, schools (K-12, colleges, and universities) and hospitals and other healthcare providers––with a dozen or more organizations being added to the list each week. The ITRC estimates that nearly 6.5 million people have been impacted so far.
Blackbaud says it paid the hackers an unspecified ransom payment and received “confirmation” the copied data had been destroyed. Blackbaud says the hackers “may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” but in most cases, “fields intended for sensitive information were encrypted and not accessible.”
“This is really a big-deal breach, and unfortunately, it hit charities at a time when they are already having so much trouble and loss of revenue due to the pandemic,” said Pam Dixon, executive director of the World Privacy Forum. “And now they have to send breach notices out to all of their donors.”
Blackbaud has apologized for what it calls this “security incident” and assures those victimized that there is nothing to worry about:
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
But there’s no way to know that, cautions James Lee, chief operating officer for the ITRC.
“You have to assume the information was not destroyed, and assume the information is still there, for purposes of protecting yourself,” Lee told Checkbook. “If you get a notice about the Blackbaud breach, assume your information does still exist and is in the wild, and that this is the type of information you wouldn't want anybody to have.”
The biggest threat from this attack is that it gives criminals the opportunity to use the compromised data for social engineering. As the ITRC explains in its bulletin on the Blackbaud breach:
“Employees of the nonprofit organizations impacted by the breach may receive emails that look like they are from an executive, in an attempt at spear phishing. Donors and members of the nonprofit organizations impacted by the Blackbaud data breach may receive messages asking to provide their personally identifiable information (PII) to update their contact or financial information, either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with. If an employee comes across an email they find suspicious, they should go directly back to the person it claimed to come from and verify the validity of the message if it is internal. If it is someone claiming to be from outside the organization, it should be run by their manager, IT services, or someone who would be familiar with the relationship.”
An Unusual Twist
The data accessed by the hackers was being stored by Blackbaud, but it belonged to the various organizations using its services.
Because of that, Blackbaud is notifying its customers—the organizations affected—and leaving it up to them to notify those of us who might have had personal information exposed. Those notices should explain what type of information was accessed and how to respond.
For example, one of the notices I received said my contact information, date of birth, marital status, donation dates and amounts may have been copied by the cybercriminals. While it’s easy to dismiss the warning, digital security experts stress that it’s important to take the steps recommended in the notice.
“The types of risk people face are always based on the type of information compromised, and therefore—across the 240+ different organizations that had their data breached so far by Blackbaud—the action steps consumers need to take will vary from one beached organization to another,” said digital security expert Jim Van Dyke, CEO and founder of Breach Clarity. “This is highly unusual.”
Van Dyke suggests a few things everyone who gets one of these breach notices should do.
“They should monitor their credit. That at least allows you to catch the cases where somebody opens an account in your name,” he explained. “You should also monitor your existing accounts, like those at your bank or credit union, or credit card issuers.”
Freezing your credit files at the three big credit bureaus—Equifax, Experian, and TransUnion—is another way to reduce your risk of having a criminal open new accounts in your name. Since most of us get breached about twice a year, everyone should freeze their credit reports, Van Dyke said. Checkbook.org has more on that, and other ways to protect yourself against identity theft.
For those who had checking account information compromised in the Blackbaud breach, the World Privacy Forum (WPF) recommends calling the financial institution and asking to have a red flag alert and a verbal password put on that account to prevent a criminal from calling and accessing it.
WPF’s Dixon did that on her bank accounts. “It’s a little bit annoying to have to remember all of those passwords,” she admits, but when a crook tried to get into one of her accounts after a big data breach, they were stopped because they didn’t have the password.
Contact the Identity Theft Resource Center and talk with an expert advisor. Call 888-400-5530 toll-free or visit its website to live-chat.
Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at ConsumerMan.com.