Blackbaud Cybersecurity Incident: What Your Organization Needs to Know (Video, MP3)

Transcript below!

Listen to the MP3 of this webinar. This webinar did not rely extensively on visuals, and lends itself well to listening.

Download a PDF of the slides from the presentation.

What are the Blackbaud cyber security incident response options for your organization?

On July 16, 2020, Build Consulting learned that Blackbaud experienced a significant, and extensive, theft of data and was the subject of a ransomware attack. As of July 22, much remains uncertain about the full scope of the attack, but Kyle Haines, Partner at Build Consulting, shares what we have learned thus far and what your organization should consider as you determine how to respond—including:

  • How to evaluate what notifications, if any, should be sent to constituents?
  • What are some of the potential areas of risk for your organization moving forward?
  • What changes should you immediately make to how your organization uses and manages systems that contain constituent information?

The presentation is approximately 30 minutes long, with facilitated Q&A at the conclusion of the webinar.

Kyle has over two decades of experience in nonprofit development and constituent relationship management operations, including making use of Blackbaud technologies to meet various needs—particularly the Raiser’s Edge. He is also an experienced nonprofit technology strategist and CIO.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience. And Build is scrupulously vendor-agnostic, so you will benefit from Kyle’s candid insight into this incident—including what it means for your nonprofit organization in the short-term, and for the nonprofit technology community at large.

Disclaimer: Build Consulting partners are not lawyers and this webinar should not be considered legal advice. You should seek appropriate counsel for your own situation and in the jurisdiction where you do business. We highly encourage you to understand your legal rights and liabilities regarding any cybersecurity incident your organization faces.

Presenter:

  • Kyle Haines Partner

    Kyle co-founded Build Consulting in 2015, after working in and with nonprofit organizations to improve their development operations and technology for over 20 years. Kyle’s consulting work at Build touches all nonprofit operational areas—but has a strong focus on using technology to enhance constituent experiences, which leads to improved fundraising and greater mission impact. More »

Transcript

Kyle Haines:  I’m Kyle, I am a founding partner of Build Consulting. Peter Mirus is also on today’s call with me.  He’ll be serving as the moderator later when we enter the Q&A section of today’s webinar.

Here are some tips to get the most from today’s webinar.  The first is we’re going to be answering questions after my presentation which should go about 20 minutes and Peter is going to be helping me out as I said.  Next our recommendation is that you avoid multitasking.  Personally, I am prone to this, especially with the security incident for those of you who are in rapid response mode you might feel pulled in multiple directions. But if you multitask you might miss the best part.  Lastly, after the webinar via email we’ll be providing links to both video and mp3.

And just a quick promo—I’ll be focused on something in our next webinar that is a little bit more upbeat.  I am going to be leading a webinar presentation about Microsoft Dynamics and Salesforce and what you need to know before you choose one of those platforms. And that’s on Wednesday August 12th at 12 p.m. during a lunch hour.

About Build Consulting

A little bit about Build before we get started.  We work exclusively with nonprofit organizations and have served more than a thousand organizations.  We help our clients through incidents like these and more proactively making IT and IS decisions that ultimately are done in support of an organization’s mission.  And lastly, we work in a very collaborative way.  Our work is constructed in a way where we empower you to make decisions using our expert guidance and support. All our services are designed to help clients transform. They’re designed to help you serve constituents better and those constituents can range from funders, from donors, beneficiaries to volunteers, to your board and the general public.

Legal Disclosure

We’ve never had to put a disclaimer like this in webinars that we have done before like this, but we want to be clear today that we are not lawyers.  We do think however, that the stakes surrounding this incident are incredibly high and your decision should be guided by what your legal obligations maybe based on the extent of the breach as it pertains to your specific organization. Again, this is an incredibly serious data breach and we had to develop this webinar in record time.  We wanted to respond to what we see as an emergent issue and we want to give you information that we have been able to gather along the way, as well as our experience dealing with incidences like these that have occurred with other vendors and in other organizations.

What We’ve Learned About the Security Incident

There’s three things we want to cover today.  One we want to give you a better background hopefully focused not on what is publicly available and what has been conveyed to us via email for affected clients via the Blackbaud support pages that they have created for affected organizations via the press and via subsequent webinars the Blackbaud has put on.

We want to identify what we see as some of the potential risks and lastly, we want to talk about ways to think about and prepare — for potential responses.

As we learn more about this incident through disclosure by Blackbaud some of this background information may change.  From our perspective we are getting incremental information from Blackbaud that doesn’t yet satisfactorily answer questions about the short-, mid- and long-term impacts on Blackbaud customers or potentially the entire nonprofit sector as people become concerned about the security of their information when interacting with nonprofit organizations.

This was taken from the email that was provided to an affected customer.  This is what Blackbaud disclosed.  We think the information that’s bolded on this slide is reasonably straightforward.  And what remains for us and for many of clients we serve are significant questions about what was not bolded.  Those questions include: What is the risk of the copies of data that was taken? What is the risk to organizations? How do we know that the copy has been destroyed?  And lastly how did the cyber criminals get access? How do we know it hasn’t happened before? How do we know that it won’t happen again in the same way?

Blackbaud has cited in their communications.  The cyber crimes are multi billionaire industry.  According to the 2019 internet crime report from the FBI, who is apparently doing the criminal investigation in the U.S. around this event, cybercrime in 2019 losses were just north of three billion dollars.  Losses from attacks that are labeled or classified as ransomware in 2019 were just shy of nine million dollars.  However, I want to read directly from what the internet — the FBI 2019 internet crime report said because I think it’s important.  “Regarding ransomware adjusted losses, this number does not include estimates of loss business, time, wages, files, or equipment or any third-party remediation services required by a victim.  In some cases, victims did not report any a {sic} loss amount to the FBI thereby creating an artificially low overall ransomware loss rate.”

So, what have we learned?  We’ve learned in subsequent — interactions with Blackbaud that there a breach occurred sometime between February 7th, 2020 and May 20th, 2020.  We know that the technical investigation done by a third party has been completed and we also know that the criminal — investigations are ongoing.  And I say “investigations” because for folks that are in the UK or the EU or other countries presumably law enforcement in those countries are involved in the investigation.

Again, from an early webinar that we attended a question was asked about whether Blackbaud can provide a copy of the data that was removed, and they indicated that they cannot.

We believe this — this impact to be widespread.  Nearly all of Build’s clients have been impacted in some way.  There are nearly a one hundred and fifty people on today’s webinar that we announced less than forty-eight hours ago.  For us that is indicative of the extent and reach of this breach on Blackbaud customers.

And I think I mentioned this already and just a little bit of a note for Build clients that had products in the Azure — Windows Azure that were hosted by Blackbaud and Azure or host their own data they were not affected. But anyone else who is self-hosted they have all been impacted in some way.

Lastly, what we learned was — or not lastly what I want to say next was Blackbaud has experienced long wait times for their incident response hotline. To us that’s another indication that they are being inundated with requests for more information and details and for potential remediation steps for their affected customers.

Another thing that we wanted to share is that Blackbaud disclosed that the organization that the data was associated with was not disclosed. That within the data itself the only information that was included was your organization’s site ID.  However, we think it would be easy for anyone who is capable of intruding into Blackbaud’s systems and accessing this data in the ways that they were able to do would be able to make inferences about which organization, for whom they have data.

What Don’t We Know?

So, what are the things that we don’t know?  We don’t know how the breach occurred.  And that’s important information for us to understand the extent to which Blackbaud believes that it can remedy that vulnerability in short periods of time or if it’s going to be a longer — longer term fix.  We do know that some organizations and again I would underscore some or were asked to reset their user’s passwords, but not all.  So, that might be telling about the nature of the exploit.  We know that the cyber criminals were expelled from the system, but again we don’t know what measures Blackbaud has taken since becoming aware of the criminal activity. Blackbaud’s committed to monitor the dark web, but they haven’t made any specific commitments about how long that will continue.  And lastly, we don’t have any details about how Blackbaud can assure us that the data that was taken was actually destroyed.

Whether intentionally or unintentionally this is the message that Blackbaud seems to be conveying.  If that’s the major takeaway that’s concerning.  If our house is burglarized and they held me hostage and they got a ransom from my wife, but on their way out the door they took a copy of the keys, I would hope she wouldn’t say, “They got what they wanted they won’t come back we don’t need to be concerned.”

What Are the Risks?

So, what are some of the potential risks?  As we learned more about this incident through disclosure by Blackbaud this might change.  Again, from our perspective we have incomplete information.   But imagine if the data was used in a fishing attempt to your entire database with a link to a page other than yours and call an action to call to a number if their information is incorrect or out-of-date this would be a highly personalized fishing attempt.

The losses in 2019 from these types of attacks were north of 300 million dollars.  Imagine a more sophisticated attack something that is called “spear fishing” where they go after a specific person or they target your high net worth donors or they solicit direct engagement with someone purporting to be a part of your organization from many a Blackbaud products, there are CRM products part of the data that was exposed included activities with staff and what staff members were involved. Again, from the FBI, the losses from spear fishing were just about 60 million dollars in 2019.

There is a wealth of information that’s available to help aid in some confidence schemes.  So, what we performed for one of our clients was a sample risk assessment and this data has been anonymized.  So, what we did was we identified all of the data that was unencrypted that was included in their instance of the Raiser’s Edge this organization uses the Raiser’s edge and their instance we color coded their legend, so that we identify the areas of data that were at low risk and areas that were at high risk.

How Should an Organization Respond?

So, some of the things to consider as you think about responding to this incident.  This is based on Blackbaud’s guidance and the way that they frame the decision is: firstly, what are you required by Federal, State, Territory etc., What are you required to disclose?  And my understanding again I am not an attorney.  Is it is not just the regulations of the states in which you have physical presences, but it is the states in which you hold data for constituents that are residents of those states? But again, I can’t underscore enough that guidance from your legal counsel ultimately should be the arbiter of whether you’re made — required to make disclosures to specific constituents.

Secondly, the other part of the decision for you to make is simply: what is the right thing to do?  Every organization is going to look at this differently.  While we implore you to seek legal protections to make sure you are approaching this correctly irrespective of the legal implications.  And while I am not offering tacit advice, you’re going to see that I clearly have a point of view on this.

So, if you choose not to disclose.  I want to talk a little bit about some of the implications if you choose not to disclose.  Again, some of this information that’s disseminated today is being anonymized, so we don’t include any specifics from clients or organizations we work with. Many organizations have already started to notify their constituents.  If you have not disclosed to your constituents, they might already know.  The question is: what could be the risk to your organization if you knew but didn’t provide the opportunity or constituents for them to learn more about it?

Going back to the question about how do we know that the data was destroyed by the cyber criminals. The question is what if the data is used later? What if the way that they value that data and they have retained it changes over time? Who will be held responsible? Lastly, if you choose not to disclose and later there is a subsequent breach what is the risk to your brand?

So, if you choose to disclose some questions that you should be thinking about.  The first is: how we respond to potential inbound requests from constituents, from VIPs like board members, and from the media if the media happens to reach out?  How you respond to requests to constituents — from constituents where they say, “I want to see all of the data that was exposed is part of the risk — or sorry – is part of the breach.” Few of Blackbaud’s systems easily provide that information that include a comprehensive field listing of all of the fields that were tracked about a constituent.  How will you do that in a way — that protects them, provides them what they do and give them some sense of what the information that was part of this breach included?

And then lastly if somebody request to have their data entirely deleted, how will you provide confirmation to constituents?  And secondarily to the extent that these systems integrate with your financial systems how do you maintain that integration for reconciliations — and audit purposes.  So, if you receive the donation for somebody for fifty dollars and you removed their record and later subsequently in audit they want to have — the auditor wants to see that donation, questions remain unanswered for us about how to facilitate that type of request.

Silver Linings

So, here are some potential silver linings.  This is hardly been the most optimistic webinar that I have ever done before.  The first is this is an opportunity for you to raise the importance of understanding the potential points of weaknesses within your organizations, around your systems and technology that you use.  Revisit your usage standards. A question that is coming up for us is: what constitutes data that should not be stored?  If I attend an event and I behaved badly and somebody records that information in your — in a database and I subsequently ask for a copy of that data, that information should be included in there.  This is an opportunity to revisit data that simply should not be recorded in a system like a CRM system.

There is an opportunity to revisit your audit practices.  So hopefully organizations have regular audit practices for data quality.  What are the audit practices around data that is stored improperly either in unencrypted fields or data that should not be stored at all?  There is an opportunity to revisit all manners of data governance and usage across your organization.  This is an opportunity to implement data use policies for staff, for those of you who have volunteers engaged in with your system, others how are they — what are they policies around acceptable use, around protecting, sensitive information and around accessing sensitive systems?

And then roll out multi-factor authentication on every application you can.  Unfortunately, some of the more prevalent Blackbaud products do not currently support multi-factor authentication.  We know that Blackbaud recommended many organizations instituting more regular password resets and forced resets as one of the partners of Build said: “That’s table stakes at this point.”  That’s recommendations that are antiquated.  The most modern and effective way or one of the most modern and effective ways to protect confidential information via password protection is through multi-factor authentication.

Lastly, our advice is don’t be passive.  And again, this is going to look different for every single organization. What does — having an active response look like?  We think that Blackbaud needs to provide more information to affected — customers so that you can communicate more information to constituents who are understandably going to be really concerned.

We — with that we’re going to move into the Q&A.  I hope that for those of you who dropped, I hope that today provided some new information and some new considerations as you think about charting a path forward. And with that I’m going to take a sip of water and I am going to hand it off to my colleague, Peter Mirus.

Question & Answer Session

Peter Mirus:  Great.  Thanks Kyle.  Thanks everyone for joining us today.  We have about 20 questions that have come in so far.  I have encouraged you to use the Q&A feature to do that if you can and if not you can go ahead and chat them in and I am going to ask Kyle to answer the questions in the order that they were placed.

So, the first question is from Denise, Kyle and she wants to know why did it take two months for Blackbaud to notify their clients of the attack?  The attack happened in May and we weren’t notified until mid-July.

Kyle Haines:  So, I don’t know the answer to that.  But I can make some inferences.  I believe because it was a technical investigation and a criminal investigation that there was probably — there was probably a need to hold off on disclosing it to customers.  And I recognize that may not be a satisfactory answer.  And on top of that that is my best inference as to why it took so long.

I did take the opportunity Denise to ask a colleague of mine who is a Chief Information Security Officer at a major university system whether he thought the length of time it took to disclose the breach was abnormal and he did not. Even though understandably all of us would want to know just as soon as possible.

Peter Mirus:  Thanks.  And thanks Denise for submitting that question.  And an anonymous attendee wants to know if we have not gotten an official notice from Blackbaud, would it be safe to say our organization is safe?

Kyle Haines:  I think that’s a question to pose to Blackbaud but based on what they’re communicating they only communicated with affected with organizations.  And it’s very — I feel very glad that you were not affected by this and I think that given the number of people that were affected it’s unlikely by this point based on what they’ve communicated that if you were affected that you have not yet been notified.

Peter Mirus:  Great.  Next question is from Kathleen and she wants to know: Do you know if this story is out in the press? Will our donors read about this in The Wall Street journal or some other publication?

Kyle Haines:  I know that it has been public — publicized in both ZDNET and also The NonProfit Times, perhaps in other places. And I’ll confess that we at Build have been in such rapid response mode as we’ve been supporting — our clients who have been impacted that I have not — not had an opportunity to monitor the broader press. But those were two places that it was — that it has been covered.  A board member of an organization that we work with actually found the information there.  She happens to follow technology news fairly closely, so she brought the question to the organization about whether the organization had been impacted by the breach.

Peter Mirus:  Thanks, Kathleen.  Paul wants to know: Was the breach specific to Raiser’s Edge or also the Financial Edge?

Kyle Haines:  It was it affected — so my belief is it affected a number of products that Blackbaud identified as being self-hosted and given the geographic distribution, my inference is that the breach happened for products that were hosted in the Boston data center. That is one hundred percent conjuncture.  I think like all of you, we are trying to do as much sleuthing an inference building as we can. But indirectly answered your question for the clients that we interact with we have heard of instances where it impacted Research Point, the Raiser’s Edge, the Financial Edge, and Net Community which is a deprecated product of Blackbaud.  However, just a quick note on Net Community, one of the questions that we have is whether usernames and passwords were exposed as part of the breach and if they were our concern is that unfortunately many people reuse passwords.  And so, if user names and passwords were disclosed as part of the breach that constitutes for us perhaps a different type of communication to the constituents that were contained within those data sources.

Peter Mirus:  Thanks to Paul for that question.  Ester wants to know: I assume that all nonencrypted fields were taken by the cyber — cyber criminals. How likely or possible is it that they also got copies of attachments like PDFs of the acknowledgment letters?

Kyle Haines:  That’s a good — that is a good question and I don’t have the answer to that.  For one organization they have asked for PDF copies of everything that was attached to constituent records within their CRM solution.  Fortunately, the organization that I am referencing did not do that extensively.  So it’s not a big lift to be able to provide that, there is only about twenty-six instances of it, so it’s clearly a staff person who thought it was a good idea for a short period of time. But I don’t know what the ability as part of the breach — what their ability would have been to get attachments that were stored as part of a CRM solution.

Peter Mirus:  Aaron wants to know: If we did not get an email that we were part of this breach, do we disclose and what do we disclose?

Kyle Haines:  I think I would go back.  I think that really is going to be an organizational decision unfortunately.  I think the question for me is: for organizations that were not affected if they — can they take more of a wait and see approach with respect of how broadly this becomes aware?  It seems at a minimum that had — being prepared to have a response to constituents who ask the question was your organization impacted, that you have a response mechanism in place.

Peter Mirus:  Thanks for that question, Aaron.  David wants to know: what have your clients or others decided to do rough percentage of notify versus not notify?

Kyle Haines:  I can speak for the clients that I engage with actively.  And I can only speak to three of them use Blackbaud products that were impacted by this breach.  And two of the three of them are actively preparing to respond to constituents and notify constituents of the breach.  The third one I just simply don’t know where — where they are in that decision making process, but I believe the two organizations I believe that it’s safe to speak for them that they believe they have a duty to notify constituents.  Peter, I don’t know if you — you know, I don’t know if you have any clients that you work with directly that have made that decision?

Peter Mirus:  I do not.  My — my clients currently are not using Raiser’s Edge products, so. Which is rare for me because they of their prevalence.  Ashley, had asked this one for me to answer: will the — will the recordings be available or will this content be available after the presentation? Again, we will be sharing the recordings in both YouTube video and download MP3 formats later this afternoon and we’ll be sending out an email to all registrants to that effect, so keep an eye out for that.

David wants to know, also the same David as before I think: is it your understanding that Blackbaud was not legally required to tell us about this breach?

Kyle Haines:  That’s a good question that I — I just simply don’t have an answer to it, unfortunately, David.

Peter Mirus:  Rick says: to confirm that there was no breach if we hosted Blackbaud with a third-party hosting company or if we used the Azure environment?

Kyle Haines:  Our understanding is that the products impacted are what Blackbaud describes as self-hosted which to me is a little bit confusing because when I think of self-hosted I think of an organization hosting their date themselves, but for the purposes of what they have announced to date; self-hosted means that Blackbaud hosted in a data center that is not Azure.

Peter Mirus:  Thanks for that question.  Let me see who is next.  Aaron wants to know: should we be looking at another organization for our data needs? I am being asked to look into that.

Kyle Haines:  That’s an — that’s an excellent question.  And — I think — in some ways I think it would be — it’s a responsible question to ask.  And having said that, data breaches do happen. As the article in The NonProfit Times that covered this breach mentioned another vendor also was the victim of a ransomware attack.  So, I think that unfortunately organizations should not presume that this is a onetime event for them that is going to be limited to Blackbaud.  That said without knowing the nature of the attack or the method by which the attack was done, it’s hard to know whether this was the result of something that we believe Blackbaud could have addressed or whether this is just the nature of cyber crime in 2020.

If you do elect to look elsewhere because I think that many organizations are frustrated understandably and or angry.  Moving new solutions perhaps many of you have been through this process before it’s something that should be done thoughtfully.  Obviously, security would be a huge question that I would want to understand better as you looked at new vendors. How do they approach security? What precautions do they have in place? Have they had incidents before?  In addition to really understanding that if you’re going to leave one solution for another understanding what the change management impacts would be in terms of making that change. What the scale of that change would be in terms of disruption to your organization and making sure that everyone involved understood the cost to the organization of making that change.

Peter Mirus:  Cool.  We have so many questions to answer a good thing we’ve got plenty of time remaining.  I think we still have twenty odd questions, so —

Kyle Haines:  I think I might need another glass of water at some point.

Peter Mirus:  Yeah.  I’ll take — I’ll take on the next question.  Adrienne wants to know: what does that mean, multi factor authentication?

Typically, this means that there is another piece of information required that’s unique to the individual and it’s — that’s logging in and as point in time kind of thing.  It’s usually some sort of authentication code that’s either brought up on the — on an authenticator app that’s on the on a smart phone like Google Authenticator or Microsoft Authenticator or perhaps a — code that is texted to the individual’s smart phone on record or cell phone on record when they are trying to log in or even a call that goes from the system to the cell phone number for the person that’s attempting to log in asking to provide the authentication code or ask them to enter it in on their phone’s keypad.  So, it’s an extra level of security that basically means we’re going to authenticate you by your username and password and by this other method.

Kathleen wants to know: how can we find out which fields are in our production at database?  When I asked Blackbaud which fields were included in the cyber incident and they tell me it’s the same fields that are in our production database.

Kyle Haines:  I would rank that up there with — from Blackbaud as one of the more frustrating responses because that is a really difficult thing to provide. What they have said in multiple places is just to look at your database and those are the fields that were exposed.  That is an incredibly laborious way to inventory all of the fields that were included.  For those of you who are using Raiser’s Edge if it gets to the point that we need to inventory at a field by field level, my plan was to use the import tool within Raiser’s Edge to create header rows for every single type of data that’s included.  However, I am not one hundred percent sure that all of the fields that are available are included in those import fields.  Things that I think — and I can just tell you what I am most concerned about.  I am concerned about all of the places that have open text fields so that includes interactions, it includes notes, it includes notes associated with gifts, it includes relationship notes, it includes event participation notes, there are in number of places.

Just as a point of reference for folks there are tools out there that will scan text fields or scan any fields to identify personally identifiable information that’s included in those fields when you say they shouldn’t be included in those types of fields.  That for some organizations is going to be a logical next step if they believe that there is the risk that their data in open text field might have contained a single credit card number or contained for an educational — institution someone’s social security number or something that would be considered highly confidential information or for organizations that have other compliance issues like HIPAA or FERPA information in those fields.

Peter Mirus:  John, wants to know: can you repeat what was said regarding the difference between where the organization – us – is located and where the donors are located, specifically where those are in different states?

Kyle Haines:  Sure.  Again, I feel like I should just have this – I should have a button that says this – I think consulting your attorney is — is ultimately what should be the arbiter of the answer to this question.  But for the organization for — for the organization that I have the most familiarity with, my understanding is that it is not the rules and regulations around disclosing data breaches are not particular to where you — you are geographically located or if you have multiple locations, it is about where the constituent lives.  And so, this is not dissimilar to US based organizations who engage in the — in the EU you are subject to GDPR irrespective of whether you have offices in the EU.

Peter Mirus:  Derrick notes: that the data breach was also reported in the local Charleston Newspaper to newspaper and through a few posts on LinkedIn, I think it is also been covered on Reddit it came up several times based on his pop a daily Google alert so he just wanted to let folks who had asked that question earlier, but whether it was out there in the press know about these things as well, thanks for that, Derrick.

Ashley notes: we were not hosted by Blackbaud at the time of the breach and it seems they may not have destroyed our live data and thus also had our backups.  So, this is a case in which they — yeah so how — how would you address that Kyle?

Kyle Haines:  As I — I hadn’t considered that Ashley I think that’s a great question. What their data retention policies are at Blackbaud and whether it’s possible that your data was impacted? Something that kept me up last night not figuratively, but literally kept me up last night is that a client that I’ve been working with is going through massive data hygiene and cleansing projects that are — that were just not connected to this event itself.  So, the data that was in a picture of a constituent record as of May 20th, 2020 is going to look different than it does today.  So, it’s not just data that was added since that time things like gifts or additional information, it is things that might have been changed or removed and this organization I would say has hoarded data over time.  And so, a lot of what the cleanup we’ve been doing is actually identifying what the high-quality data is, the data that actually informs strategy rather than serving just simply as information that has questionable value.  So, I haven’t yet resolved how to do this or what our responsibilities are, but the truth is we can’t for all constituents say affirmatively this is the data that was available and present as of May 20th, 2020 because of hygiene projects that were taking place concurrently with the Blackbaud investigation and the criminal investigation and the third party technical investigation.

Peter Mirus:  Let’s see, what’s a good next question to ask you.  This question, another anonymous attendee wants to know: Not a question, we were hosted by Blackbaud during initial setup to create custom fields to hold some PII that they did not support. We’re assuming none of these custom fields were encrypted and we — and we do have notifications.  Do you know happens to know, Kyle, whether data that was sold in the custom fields was able to be — was included in the breach?

Kyle Haines:  I mean given what Blackbaud disclosed it seems as though it was an entire backup copy of the entire database. That the only things that they have identified at least and you know, I should — I should say that the only notifications that we have seen as part of Build are the notifications to customers that have affected products.  So, if the question is about a product that we haven’t seen the answer might have been different, but it is the entirety of the database.  It is unlimited what was included and the only things that were not included again were social security number, banking information and credit card information.

Peter Mirus:  This — Paula says: we use an installed version of FIMS not a cloud-based version, are we affected by this breach?

Kyle Haines:  So for FIMS again, if it’s — if it’s self-hosted in the definition of your organization hosts the copy based on the disclosure from Blackbaud it was — it did not impact people again who hosted their own data or used a third party, not Blackbaud a hosting solution, they didn’t state that. But I think that’s a safe inference or people who and for those of you who don’t know this.  Blackbaud is actively or I am going to say I don’t know how actively, but they have been trying to move people incrementally that’s probably a better word to Microsoft Azure.  So, if you have already migrated to Microsoft Azure for hosting you are not impacted.  So, again to your question if it is a self-hosted by your organization and you don’t rely on Blackbaud to host your data based on what we know today you are not impacted.

Peter Mirus:  David has more of a comment that he would like to share.  He says: for what it’s worth our exposure was through a Blackbaud product we no longer use for over two years.  While we are still a Blackbaud customer on other products, this suggest to me that there may be former clients affected that may not even know that they were affected.  Again, Kyle, unless I don’t think they were prepared to comment on that, but David thanks for — thanks for adding that piece of information in there.

Kyle Haines:  Absolutely.  Yeah, that’s helpful.

Peter Mirus:  A couple of people want to know if we could comment on the decision to pay ransomware, ransom — the ransom.  In your opinion, is it a best practice not to pay the ransom and how would you consequence to determine the appropriate response for a situation at hand?

Kyle Haines:  You know, unfortunately, I can’t comment authoritatively on that and there is an entire industry of folks who provide that counsel who when you are the victim of a ransomware attack or a — or a any type of criminal enterprise whether it’s a spoofing attempting or a phishing attempt they can provide that type of counsel. To my reading of the disclosure by Blackbaud the most immediate threat was limiting the access of clients to their systems and shutting down access.  I may be misreading that maybe the — the risk was that the cyber criminals were going to deny Blackbaud access to the hosting environment.  I know again because of the scant details I don’t know. But I think that Blackbaud was forced to make a financial payment.  The NonProfit Times did have an interesting comment towards the end of the article about the ransom and inferences based on the financial disclosure requirements of Blackbaud being a publicly traded company that it likely was not a significant enough amount of a ransomware that they needed to disclose it in their financial specifically.

Peter Mirus:  I hope I am pronouncing this name right Tamam, Timam wants to know: do we know if encrypted fields were stolen as well and Blackbaud is assuming they are safe because they are encrypted or were encrypted — or were encrypted fields safe elsewhere and not part of the stolen data?

Kyle Haines:  I know based on conversations with Blackbaud that I have been a part of that credit card information was sto — or stored I almost said stolen I am going to start over.  Credit card information was stored in a separate vault and what Blackbaud shared is that the technical investigation did not let them — their findings were — that that data was not part of the breach. It was not impacted.  The other two pieces of information are encrypted again I am not I shouldn’t say again I am not a database architect, so I am going to do my best here.  They were not — those fields were encrypted, but not stored in a separate vault the social security number and bank account information.

Peter Mirus:  I just wanted to say to the audience that are asking us to speculate about what — what the nature of the breach is or how exactly how it occurred we don’t know and it wouldn’t be proper for us to speculate on that.  Another attendee wants to know: has there been any specific mention of Luminate being affected?

Kyle Haines:  Build Consulting has multiple — has multiple Blackbaud customers using Luminate and none of them received disclosures relating to Luminate and specifically Luminate online.

Peter Mirus:  Jody just offered a comment that they learned – her organization – learned that the document ID field in Financial Edge for the I9 data was not encrypted.  There were social security numbers, driver’s license number, passport numbers, et cetera., contained there.  I don’t know if we have comment in regards to that Kyle, but that is and thanks for putting that information into the mix, Jody.

Kyle Haines:  You know, my comment is I want to jump off the webinar and let some of my clients know that I have a FE, so I really appreciate sharing that information out and this has been this webinar has been really helpful not only to the extent that it’s been hopefully helpful to all of you, but I’ve gotten some great things to consider and more information. So thank you to everyone who shared more information.  It’s been really useful.

Peter Mirus:  Sorry, I am just scrolling through the questions and answers here to see whatever we should prioritize and the time we have remaining.  Somebody asked: is Blackbaud liable for our data that was breached, if any? Again, that’s not a question we can answer or speculate on that’s something that you need to consult your attorney regarding.

Can an organization contact you regarding their incident of the Blackbaud breach?  I think you — you certainly can if you have any follow up questions for us and if you have any specific questions in regards to how your organization — should make their response or do additional discovery on its own behalf you’re welcome to do that. You can reach out to Kyle directly or you can simply use the contact page on our website buildconsulting.com.

Somebody asked: can in the slides also be send as a PowerPoint deck? Kyle, do you have any thoughts on that?

Kyle Haines:  We can — I don’t know what our practice has been in the past, Peter, but I think you know, I think providing a PDF would be something we could definitely do.

Peter Mirus:  Okay, we’ll do that.  Somebody asks, our organization is in Canada, is the breach being investigated in Canada as well as by any of our Federal regulators?

Kyle Haines:  I don’t — I don’t know the answer to that question.  It — it’s a good one.  I don’t think you should take this as the authority — authoritative answer in the least but given that the webinar that I participated on that question was asked about the UK. I would imagine the Blackbaud is approaching each the regulations of each country individually and notifying authorities as appropriate.  But again, if — for our Canadian colleagues it’s a definitely question to put to Blackbaud.

Peter Mirus:  Somebody asked: would it be better to notify constituents via email or via print mailing?

Kyle Haines:  So, I think that the — I think that you’re going to have to do you’re definitely going to have to do print because you’re not going to have, especially for all constituents, valid email addresses.  You may not have any email address or a valid email address.  If you haven’t done a recent national change of address, there is a question for me about what the responsibility of nonprofits are to try to find to the constituents that were impacted.  In a point of clarification, that came up with on a call that I was on earlier this week, is that if you are obligated to notify or you choose to elect to notify people because it’s the right thing to do, using a targeted approach and only including people who have — for example recently made a donation or somebody who’s received a service from your organization recently.  In my view, that would not be inclusive of the entire population of people who could be at risk or this data used improperly.

Peter Mirus:  Somebody wants to know: we were told that the copy of your Research Point backup was part of this incident. Do you have any thoughts on what we should be thinking of regarding risk related to this specific issue?

Kyle Haines:  I apologize because none of my — the people I interact with are active — or use Research Point now or have in the past.  I do know and again I’d say it again I think every organization needs to approach this differently.  I do know anecdotally that an organization that had a Research Point that was impacted made the determination that there was not data that would compromise their constituents or put them at risk.

Peter Mirus:  Another person says: in their FAQ Blackbaud says “to view the fields your organization uses, you can access your production database”, but how do we access our production database? This is Research Point related and I don’t believe RP is self-hosted by us, so do we have to ask Blackbaud for a copy of our backup?

Kyle Haines:  So, your production database just to be clear is the database that you access on a regular basis based on what Blackbaud based on our response in the webinar that I attended the — they are not able to provide a copy of the specific data that was removed.  They are what they had been saying as of the webinar was that they know the dates of the breach were from February 7th to May 20th of this year.  So, I — hopefully that’s helpful.

Peter Mirus:  Somebody wants to know: were ImportOmatic or MergeOmatic affected?

Kyle Haines:  I am pausing because I don’t — I don’t — one I don’t know whether they’re affected and two I don’t know what data would be put at risk through those specific products.  So, for those of you who don’t know those two products, ImportOmatic is a tool that organizations can use to import large or complex or even small quantities of data into the Raiser’s Edge and also provide – it has links to other products like Luminate Online and Mailchimp and Classy. It is a data integration tool. And MergeOmatic, the second tool, that the question was about was a tool to mass merge duplicate records.  So, I think the question that I would have for Omatic would be is there any data that is actually stored within those products and my assumption is that there is not data stored within those products beyond configuration files.  And what I mean by that is the configuration files that map fields and establishes preferences and the rules by which data is imported or exported.  But I think that’s a question to put to Omatic to get confirmation.

Peter Mirus:  Somebody asked how recent of a donation should we come — for how recent of a donation should we contact donors?

Kyle Haines:  This is my opinion, but I don’t think that the construct is how recent – I don’t think that the construct should be around recent donors or even donors. I think it’s all constituents in your database.

Peter Mirus:  Judy asks what is the name of the tool that will scan text fields through personally identifiable information?

Kyle Haines: Dangnabbit!  I was hoping somebody didn’t ask that question.  So, I don’t know the specific name of the tool.  Actually, Peter and I were looking into that earlier this week as we were sort of figuring out how to respond.  Peter can amplify or correct this response, but it is possible to do in Microsoft SQL Server for those of you who have access to that.  For one of my customers I think or one of my clients rather the question is: can we engage a third party to do that given that that that’s not something that anyone on the staff of this organization has the — the ability to do?  It’s definitely something that is a little bit — a little bit advanced, but from my reading, Peter, I didn’t think that it wasn’t incredibly own risk or incredibly difficult thing to do, you just needed to have access to the right tools and skill set to be able to do it.

Peter Mirus:  Mark wants to know: do you know if Blackbaud have multiple clients in one database or are there separate databases per client?  When he says clients, I think he means like a — a Blackbaud customer, a product customer?

Kyle Haines:  So, this is go you know, it’s been a long time since I’ve seen the database architecture for the products that I have been talking about, but each instance of — each instance — each customer instance is its own database that is deployed via Citrix on a virtual Window server in their data centers at least for those of — for organizations that are not in Azure. That’s what I am most familiar with.  But your database is your database and unless things have erratically changed you data is not comingled — with other organization’s data.  That doesn’t mean that your data doesn’t reside on the same server or in the same hosting environment which I think is why so many organizations are impacted.

Peter Mirus:  Somebody asked did this breach also affect Blackbaud’s gifts database or is it just Raiser’s Edge NXT and Financial Edge NXT? And another question that’s related was do we have any awareness of whether or not this has been — this has affected eTapestry?

Kyle Haines:  I don’t know about eTapestry just because of the disclosures that we received, and I also don’t know about gifts specifically those would be questions to put to Blackbaud.

Peter Mirus:  Paul asks: is Blackbaud liable in any way for cost we incur in our assessment or disclosure of this breach? Kyle, I think the answer to that question is we don’t know, and folks should —

Kyle Haines:  Yeah.

Peter Mirus:  engage their own — engage their own legal counsel in that question.

Kyle Haines:  I would — I would just suggest that taking contemporaneous as notes I would recommend as you move through this documenting the meetings that you have, documenting the time invested, documenting the activities that you undertake. I think all of those would be important things to do. If for no other reason that if a constituent were to ask you, what is it that you did that you have a contemporaneous accounting of what it is that you did in response to this.

Peter Mirus:  Cool.  Well, at that were about it time.  If we didn’t have an opportunity to answer your questions specifically, please and you would still like response, please feel free to reach out to us.  Again, you can visit the contact form on our websites buildconsulting.com/contact.  Kyle, anything else you like to add before we wrap up?

Kyle Haines:  No, I really appreciate the opportunity to present today.  I know that this is rapidly changing situation information is coming in sort of iteratively so I would encourage people to continue to monitor what information Blackbaud is providing and ultimately seek answers from Blackbaud that you feel like weren’t answered today that are really specific to your either products specific to your organization.  And I also would again encourage you to seek legal counsel and specifically seek legal counsel with firm that specializes in these types of incidences.

Peter Mirus:  And then we’ll wrap up for today.  Thanks so much everyone for joining us Kyle, so we really appreciate it.  This is one of our most well attended webinars of all time.  We ended up having around a hundred and twenty-five people on this call.  Great for such short notice.  Thanks again and have a good week.

Bye.

Microsoft Dynamics and salesforce