Alison Stone gives advice for organisations who may be worried by the recent cyber attack on the major software provider
The breaking news this week from the world of Data Protection and Cyber Security focuses on the cyberattack and subsequent data breaches involving Blackbaud, a US-based cloud computing provider who offer range of software solutions for charities and voluntary organisations, which are widely used across the sector including customer relationship management (CRM) solutions, JustGiving and the popular fundraising and donor management system; Raiser’s Edge.
The cyberattack, purported to have taken place in May 2020, which, according to the statement provided by Blackbaud, has been managed and resolved, has now morphed into a data breach for organisations using its software products. At the time of writing, 125 organisations within the voluntary sector have reported to the Information Commissioner's Office (ICO) as being impacted by this. These include some high-profile charities such as The National Trust, Sue Ryder, Crisis and Human Rights Watch, as well as a number of well-known universities in the UK and overseas.
As yet we don’t have any information on how many organisations in Scotland have been impacted, however, if you have concerns that your charity may have involved, this blog provides some helpful hints and tips and suggested actions to take to navigate the minefield that is data protection and cyber security.
Has it happened to you?
Blackbaud operate software under a number of brands, namely JustGiving, Raisers Edge and Blackbaud itself. If your organisation is a purchaser of one of these products, you should have been informed directly by Blackbaud that you may have to take remedial action to deal with a data breach, in line with your obligations under the General Data Protection Regulations (GDPR) or Data Protection Act 2018.
Identify what data has been impacted and who you need to inform:
Blackbaud have stated that they are confident that the cyber criminals had no access to credit card, bank account or social security numbers, as these fields are all subject to encryption. That said, it is important to identify what data has been compromised and who you need to inform. You may have a Blackbaud Account Manager – this might be a good time to contact them for specific advice. Under the GDPR/DPA 2018, you are obliged to inform individuals if there is likely to be a risk to their “rights and freedoms”. You may decide this isn’t the case with this incident, however, with the associated media prominence of this, a statement of reassurance to stakeholders may be well advised and received.
Decide how you communicate with your stakeholders and what to say:
It may be worth summarising the pertinent details from the Blackbaud statement and supporting this with your own comments and reassurance to data subjects. If you haven’t, as yet, highlighted the incident to the relevant Supervisory Authority, it would be timely to do this now.
Whilst this does feel very much like a Data Protection incident, it is important to remember that this came about as the result of cyber-criminal activity and, more specifically, ransomware. Ransomware is a type of malware or malicious software. It lets hackers take control of a company's systems and encrypt their data, demanding payment to release it. It is often sent via a malicious email link to employees or installed via a “back door” such as an open port on a network.
Ransomware is not uncommon as a tool used by hackers. These comments from David Ferbrache, chair of the National Cyber Resilience Advisory Board support this… “It seems that ransomware tactics are shifting from crude low value extortion through end point encryption, to tailored attacks including on-line back encryption and theft of data (sometimes for public auction or private blackmail). As this happens ransoms are ratcheting up from $1000 or $10,000 per incident to $100,000 to $1 million per incident.” Europol and the National Crime Agency advise against paying ransom payments to cyber criminals – there is no guarantee that you will receive the promised “key” to unlock your data (remember, we aren’t dealing with the good guys here!)
There are several low-cost technical measures that can be taken to secure your IT systems against ransomware. This excellent resource by the National Cyber Security Centre (NCSC) is a good starter for ten. Having good base line security measures in place, such as Cyber Essentials accreditation is helpful too.
Other things to consider is to ensure that you undertake proactive vendor management due diligence – check what your cloud service providers security practices are, what their incident response protocols are and how that impacts you as a customer. Make sure your contract with them defines in writing what you as a customer should expect should they have an incident.
Furthermore, ensure that you know what your organisation needs to do if it is subject to a cyberattack. The amazingly helpful Response and Recovery Guide from NCSC is a great place to start. Further local support can be provided by the Scottish Business Resilience Centre (SBRC)who offer in person support to organisations from all sectors who may become victims of cyber-attacks.
This does all seems like a lot to take in and is certainly an unwelcome distraction for many third sector organisations who are working their way through this. It is important to apply some proportional thinking to your response… Keep in mind the “rights and freedoms”, trust that Blackbaud are correct in their assertion that no credit or bank account details have been compromised. And maybe spare a thought for the incident management team at Blackbaud – I’m sure they have had a few sleepless nights recently!
Alison Stone is cyber resilience coordinator at the Scottish Council for Voluntary Organisations (SCVO)