Oh $%&@ - RE Data compromised

Brian Hoyt

This breach has hit the news in UK - https://www.bbc.com/news/technology-53528329. Now questions about notifications needed under GDPR in EU are coming up more. This story isn't done yet I don't think.

Rachel Cavalier

My old university is right there on the list on the BBC article, so while my organisation's data might not have been included - my personal data might have ?

Leilani McHugh

Has anyone heard what organizations whose data was breached have in common?  I heard a rumor that it was organizations that use Research Point - but I haven't found anything to substantiate that. Also, does anyone know what products were hacked (Education Management, Raiser's Edge NXT, Financial Edge NXT, etc.....)? Or was it all data by organization?

JoAnn Strommen

On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.


Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.  

Keri Barnhart

JoAnn Strommen:

On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.


Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.  

Azure - if you are hosted on Azure, that data did not get compromised, BB confirmed. Only the ones hosted on Blackbaud's data centers.


I'm curious about it being the Boston datacenter, because I thought we were assigned them according to location! There are 4 or 5, aren't there, around the world? I wouldn't have thought so much UK or Australian data would be stored in Boston. I remember when there were major issues with Boston's uptime a few years ago, folks talked about being hosted in Vancouver or Sydney (also see this KB for datacenter locations: https://kb.blackbaud.com/articles/Article/50641)


I can't see a common thread myself, but I don't know what all services might be used, and I don't use Facebook to have seen that one. There is a forum thread at AFP, and I imagine AASP, too. So far the list is heavily weighted towards educational orgs, but that could be sampling bias.

Dariel Dixon 2

JoAnn Strommen:

On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.


Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.  

I've speculated it was the Boston datacenter as well.  I also think it's been more legacy clients, and I think they are moving new clients directly into the Azure/AWS centers.  Boston data center has had it's share of issues in the past.  But it do find it interesting that there was a push to move clients to Azure a couple of months before this breach.  Fortunately, my org was in that boat, so we didn't have our database compromised. 

Stacey Brake

I had suspected Boston as well.  It's the only server that hosts RE NXT (at least that was what I was told when I asked that we be hosted elsewhere due to the traffic issues we were experiencing).  We are looking into moving to Azure for hosting.  Has anyone had problems with it?

Keri Barnhart

Because I'm nosy and the question keeps coming up, and because it's a Friday afternoon, I sought out as many threads/discussions about this as possible here on the Blackbaud Community forums and on some of the professional forums I have access to.


I have counted a minimum of 78 organizations which have either come out and said they were affected or suggested as much through the question/reply context. Some replies to the threads were purely informative and did not suggest the org was affected, so I did not count them.


I found people asking about the breach in the following Community forums: Raiser's Edge; Altru; BBNC; Target Analytics; Church Management.


A lot of people I've spoken with are all irritated with how squirrelly Blackbaud is being about the number of affected clients and their unwillingness to provide lists of standard fields for the relevant databases. We understand that Blackbaud doesn't want to fully admit to the scope, because it's not a great story, and they'd rather not say "70% of our hosted clients have had their data stolen" because that will hurt the business. And folks are already shy to sign contracts with BB for various reasons - size (all that Big Gorilla salespitch tone), accessibility of the interfaces, and cost are the big ones I know of. But not being transparent - this reluctance to say anything, and the delay in even informing clients of the breach - is not doing anything to foster trust in BB or future relations with them.


There's a lot that I really like about Blackbaud and Raiser's Edge, and I've been using RE for nearly 10 years - I am excited about the updates to the interface and the potential in NXT. But this whole thing has really shaken my trust.


I'm hopeful that the management of the official response will turn around next week, especially after the BBC article. We're still working with our law team to determine our next steps, but I've already begun receiving email notices from orgs I've donated to who use Blackbaud services.

 

Brian Hoyt

It seems that only services that live within the Citrix servers were affected. Even though RE:NXT may not use it the DB lives in a way to allow access that way. Same thing for FE / EE. It is all the legacy products. I am pretty sure we got moved out of Boston data center last year but I may be wrong. I also can't believe all of EU / UK is run out of Boston but I could be wrong. In Washington State we had to notify the state attorney general as well.

Mark Olson 2

Does anyone here have a header listing of all of the fields for RE/FE?  I have been looking over all of the documentation, but also figure that someone here probably has done this already.


Thanks for any info you can provide.

-Mark

Patti Posey

Hi Mark,


Here is a list I created a long time ago for my policy and procedures manual.  If you need to see your attributes and tables, you can pull that from Admin.


I've attached my list for you


Patti Posey

Stamford Hospital Foundation

 

Tiffanie Duncan

Has anyone been able to talk to a live person at Blackabud to help get some answers? Our IT Department is looking for a technical person to talk to, but we are not having any luck.

Melissa Sheinman

Like most everyone else here we are having trouble getting answers and figuring out exactly what data may have been exposed.


Our RE is locally hosted and the email we received only mentioned ResearchPoint.  Anyone else in this situation?  How are you trying to figure out which ResearchPoint fields were at risk?

JoAnn Strommen

We had other data but have been in several conversations with orgs who only had Research Point noted in their emails.  FWIW, those orgs (I know one said was after legal consult) are of the viewpoint that data in research point is public information, can be found through a variety of online sources. At this point they are opting not to do any notification.  It is not required by their state laws.

Veronica Adams

I am still somewhat in the dark as to what was breached. I am assuming names, addresses and birthdates but were gift amounts included in this breach. I have been on chat as well as looking over info on the website but am having no real luck.


Are organizations notifying their donors?

Rachel Cavalier

Veronica Adams‍ I got an email from my university telling me about the breach - we're in the UK, so they have to with GDPR and all.

Sarah OBrien

For those that sent out a notification how was it received by your consituents? We launched ours and I'm scrambling to throw together an FAQ we can link to our website in my response. We had ResearchPoint data involved in the breach. I feel like BB left us all scrambling a bit. 

Kim Wolcott

Stacey Brake:

I had suspected Boston as well.  It's the only server that hosts RE NXT (at least that was what I was told when I asked that we be hosted elsewhere due to the traffic issues we were experiencing).  We are looking into moving to Azure for hosting.  Has anyone had problems with it?

There are Toronto servers as well with NXT.  Most Canadian clients are on them now, but clearly not all of them.

Kim Wolcott

Can someone confirm which servers were involved?  Toronto, Boston, there is another in the states and I think maybe still one in Vancouver.  

Kim Wolcott

I am wondering if I am missing something.  If you received an email saying your data was breached, then all of it was breached, you should know what data you are tracking, no?  If you are tracking credit cards in appropriate fields, then they should be ok.  Why is everyone wondering what fields are in RE?  Are people tracking sensitive info in inappropriate fields?  Please enlighten me.

Kim Wolcott

Veronica Adams:

I am still somewhat in the dark as to what was breached. I am assuming names, addresses and birthdates but were gift amounts included in this breach. I have been on chat as well as looking over info on the website but am having no real luck.


Are organizations notifying their donors?

Everything that you track in RE was breached, except encrypted credit card or payment information (provided you were tracking it only in the appropriate fields)

JoAnn Strommen

Not certain why people are asking. My assumption is that there powers that be / legal advisors are asking specifically what data was breached. Notification regulations vary from state to state and can depend on exactly what was exposed. (Example, North Dakota requires notification if DOB was exposed.)  Many orgs are also assessing if data can be considered public information as it can be found/researched. Other than dba or data entry people, my guess is many execs/boards do not know exactly what data is stored in the software. Or what type of data is stored in attachments and with actions. 


Just my guess based on conversations I've seen.

Brian Hoyt

Sarah OBrien:

For those that sent out a notification how was it received by your consituents?  

We have had several families ask to be totally removed from any databases. We are working through the issues with financial tracking if we remove records. We may end up having anonymous records with no data stored in the DB. Not fun to deal with.

Brian Davies

Brian Hoyt:

Sarah OBrien:

For those that sent out a notification how was it received by your consituents?  

We have had several families ask to be totally removed from any databases. We are working through the issues with financial tracking if we remove records. We may end up having anonymous records with no data stored in the DB. Not fun to deal with.

We are working through the same issue. To complicate it we have a few grandparents who asked to be removed, but they are emergency contacts. Not a big deal in RE, but now this becomes a cross platform issue and we need to figure out how to keep someone out of the system when we can't clearly identify them. ?

Kim Berry 2

So to follow up on some of this - the question of attachments. Does anyone know if there is a way to query NXT to identify which records have attachments? I did not see anything in the knowledgebase.

JoAnn Strommen

I don't know how you could query in RE to find all attachments. 


Attachments could be on a note, media, proposal, etc. For note type might be random unless you have a specific note description anytime you've attached something. Media you may be able to tell by type which are a concern.


We know what types of attachments we have in the various places and info contained. We did not filter our BB breach notification based based on that much detail. We sent quite broadly.


Best wishes,

Rene Mayginnes 2

With regard to the attachments on the Media tab, we link documentation from a shared drive; we don't embed the document in the record (We don't choose "Create New"; we choose "Create from file" and establish a link to the document).  Does the backup copy pull in a copy of that documentation?  Or is the link broken, as was the case when we upgraded to NXT from RE7?

Brian Hoyt

Rene Mayginnes:

With regard to the attachments on the Media tab, we link documentation from a shared drive; we don't embed the document in the record (We don't choose "Create New"; we choose "Create from file" and establish a link to the document).  Does the backup copy pull in a copy of that documentation?  Or is the link broken, as was the case when we upgraded to NXT from RE7?

As best I know it would be broken. If the link was to a local (internal to your organization) server there would no way to access it simply from the RE DB backups that were stolen.

Rene Mayginnes 2

Brian, I hope that is the case so I don't have to worry about annuity documents or planned giving documents that may not have redacted account numbers.

Stacey Brake

Regarding attachments - I was told that attachments to the Media tab, etc. were affected by the breach as well.  My understanding is that RE makes a copy of the document, whether you create a new one or link to an existing one, and attaches it to the constituent's record.  It then becomes part of the database.   We used this feature in another database and the documents migrated with the data to Raiser's Edge.  If it's a link to a document, wouldn't the link be broken if the document is moved to another location or the name changed?  What if the document is deleted?  I'm curious about how this works as well.