Subscribers | Charities Management magazine | No. 138 Early Summer 2021 | Page 6
The magazine for charity managers and trustees

What the Blackbaud hack has taught charities

MATTHEW CLARK, risk management partner at insurance broking firm PARTNERS&, describes a hack that has massive security implications for the charity sector.

As some of you will remember, in May 2020 the world’s largest provider of education, administration, fundraising and financial management software, Blackbaud, was hacked. Blackbaud was used by many British universities and charities to store their client/student/donor data.

It took eight weeks for the company to reveal to the world that hackers had breached its systems and downloaded sensitive data going back to 2017. When it did announce the hack, it played it down, insisting that no payment card or bank account details had been compromised but it was soon revealed that equally sensitive information such as the names, ages, addresses, assets and estimated wealth, value of past donations, history of political and philanthropic gifts, spouse’s identity and gift-giving history had been leaked in some cases.

British charities affected

The Information Commissioner’s Office (ICO) has received reports from 166 British institutions informing them that their data had been breached in the attack with charities including Young Minds, the National Trust, Action on Addiction, Breast Cancer Now, Maccabi GB, Choir with No Name, Crisis, Sue Ryder, The Wallich, The Urology Foundation affected, as well as multiple British universities.

However, Blackbaud had a duty to inform the ICO and users of the breach within 24/72 hours, meaning its eight-week delay was a clear violation of GDPR. Understandably British charities were clearly upset, with Crisis chief executive Jon Sparkes saying in a letter to supporters he was “incredibly frustrated” by the breach and said the charity was carrying out a full investigation.

In a controversial move that is not illegal, but neither is it recommended, Blackbaud admitted to having paid the ransom being demanded by the hackers in return for destroying the data, a decision it defended by saying:

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

Blackbaud has said that it is working with law enforcement agencies to see if the data has since appeared on the dark web.

Since the breach 23 companies in the USA and Canada have now launched lawsuits against Blackbaud.

In its 2020 Q3 Quarterly report filed with the US Securities and Exchange Commission (SEC), Blackbaud said:

“The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees, and other related relief."

Terence Jackson, chief information security officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes:

Paying ransom unsatisfactory response

“These lawsuits are an example for companies that choose to pay the ransom. There is no guarantee that the attackers did destroy all of the data. It could resurface and pose a risk to the litigants. While there are no magic bullets in cybersecurity to prevent an attack, this should be a call to action for companies that are not investing in their security programme to prevent, detect and respond to these types of attacks.

“In addition to the class action suits, there are government agencies from the United States, United Kingdom, Australia and Canada looking into this incident, which means hefty fines could also be leveraged.”

What has the charity sector learned from the Blackbaud attack? When you read the latest Government Cyber Security Breaches survey you will discover that only 8% of charities “review cyber security risks posed by suppliers”. So it would appear the answer is “very little” and that reviewing the cyber security methods of third party suppliers needs to be given much higher priority by charities in general.

Let’s look statistics taken from the Government Cyber Security Breaches Survey 2021:

A quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years this is higher among high-income charities (51%).

For the 26% of charities which identify breaches or attacks, one in five end up losing money, data or other assets.

Where businesses have faced breaches with material outcomes, the average (mean) cost of all the cyber security breaches these businesses have experienced in the past 12 months is estimated to be £8,460. For medium and large firms combined, this average cost is higher, at £13,400. There are too few charities in the sample to report average costs for charities in this way, but the overall costs recorded for businesses and charities follow a similar pattern.

Senior managers not updated

Seven in ten (68%) of charities say cyber security is a high priority for their trustees. However the percentage of charities reporting that their senior managers are never updated on cyber security has increased since last year (to 23%, vs. 12% in 2020 as already noted). Interviewees felt that management boards and end users did not fully appreciate the role of cyber security in facilitating long term business continuity

Fewer charities (29% vs. 38%) are now undertaking any form of user monitoring.

The survey findings highlight that only a minority of charities overall have taken specific action as follows:

  • Only 29% of charities have taken out some form of cyber insurance.
  • Only 32% of charities undertake cyber security risk assessments.
  • Only 14% of charities test staff, such as through mock phishing exercises.
  • Only 12% of charities carry out cyber security vulnerability audits.
  • Only 8% of charities review cyber security risks posed by suppliers.

The figures in the report make frightening reading. 51% of high-income charities reported having a cyber security breach between March 2020 and March 2021, with one in five losing money, data or other assets. Yet 23% of charities say their senior management are “never updated on cyber security” a figure that has gone up from 12% in 2020. To think that 68% of charities do not undertake any cyber security risk assessments is very worrying.

Third party cyber risk

Cyber security experts recommend implementing a “Vendor Cyber Risk Management Framework” which defines the process and procedures that should be followed to assess, monitor, and mitigate third party cyber risk which exists in dependent networks such as cloud providers. There are many template versions available to use for instance from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (US) or Cyber Essentials in the UK.

The findings of the government report are very troubling and UK charities really do need to have robust security protocols and insurance in place. Charities should address the matter of cyber security with urgency before they become the victim of an attack, which these statistics indicate is a case of “when” not “if”. Protecting your charity from cyber attack isn’t hard and doesn’t need to be expensive but the steps taken need to become hard wired into the charity, executed and adhered to from the top down, on a daily basis.

END OF ARTICLE

Return to top of page