Oh $%&@ - RE Data compromised
Options
Comments
-
My curiosity got the better of me. I found this article about attaching items to the Media tab (on the database view side) and found that if Blackbaud is hosting your database, then attached files files are embedded and not linked which means that they would be affected by the breach:
https://kb.blackbaud.com/articles/Knowledge/46231?_ga=2.98811736.795329851.1596821105-1632816197.1583878162
You also cannot export them which is a bummer. Would have been nice to do that.1 -
Thanks for researching that, Stacey.0
-
We are preparing our messaging to send to constituents. We will be emailing a notification to those constituents with an email address and mailing a letter to those without. I'm curious as to what other organizations are doing. Are you notifying constituents via both email and mailed letter?0
-
Stacey Brake - we're not obliged to send out notifications but I did do my research in case. Be sure you're checking on the requirements of your state, as well as the state of each of your donors, as they may be different. If the data breached had required notification, we (in TX and it's a fairly lenient state) would have been required to send hard copy notices to all donors, even if we had emails available. We could only send emails if no physical address was available. Plus we would have had to report to the appropriate office within Texas about the fraud, and print notices of the fraud in local papers of our largest cities with constituents - all if we had more than a certain number of donors within Texas. Only if a calculation of costs, or number of donors, reached a certain threshold set by the State of Texas, would we have been allowed to forego the hard copy mailing and send only an email.
However, remember that you have to follow the rules of the state in which your donor resides, so if you have donors in other states, you need to be sure you're following their regulations as well. Most of these are fairly consistent with CA being the most stringent of all within the US. The same threshold rules in the above paragraph would apply from state to state if you have large numbers of donors within multiple states. Many educational institutions fit this model due to their alumni networks.
If you have donors outside the US, then those rules are even more stringent and may require notification of that donor(s) even if it wasn't required within the US.0 -
Thank you very much Meg Finley! I will pass this along to my supervisor. May I ask where you researched to get this information? I would like to look up our state but wouldn't even begin to know where to look or the best verbiage to enter in Google!
Thank you!0 -
Stacey Brake - use the Toolkit sent by Blackbaud in the original email that gives links for every state's laws. Sorry to say, you need to read like a lawyer through all this legal code so get some help if you don't have the background for it. We also consulted with our Tech Services Support who is certified in cybersecurity and was able to give general guidelines such as - you must notify donors according to the state/locale laws within which they live and not just according to the state where you are based.
We were blessed not to have any credit card, SSN, or any other personal information saved other than address, email, phone and donations - none of these raised to the level of Secure Personal Information by the legal definition of CA (most stringent) or TX (our location) law which we used as our litmus tests. You need to know what you store in the unencrypted data fields of your breached databases. If any of the Secure Personal Information, and usually it is two-pieces of information in conjunction that rise to the level of Secure PI, has been breached, then you are bound by law to notify your constituents that were included in the breach, what potential information was breached, and at what time. For many educational and health institutions, their saved information falls into these areas, especially due to HIPAA laws.
I hope this is helpful.
Meg0 -
Stacey Brake as posted - most of the info you're looking for is in the toolkits BB provided. It includes info on finding your state regs.
As Meg Finley said, your requirements depend on your state laws. They vary greatly. As we were sending to all, I did not research but I have seen posts stating that the requirements are based on your location, not that of each individual donors state of residence. Not sure which is correct on that point.
We sent notice via email to all constituents with valid email and sent hard copy to others.0 -
This is getting more interesting - https://www.classaction.org/news/blackbaud-hit-with-class-action-over-data-breach-stemming-from-three-month-ransomware-attack2
-
Brian Hoyt:
This is getting more interesting - https://www.classaction.org/news/blackbaud-hit-with-class-action-over-data-breach-stemming-from-three-month-ransomware-attackInteresting indeed....
0 -
The gift that keeps giving (not in the good way like recurring gifts) Blackbaud just sent an email saying they will be disclosing to state AG who is affected. In case you didn't want to inform your constituents now your state AG will for you.0
-
That's not quite how I interpret the email. Brian Hoyt . From the email:"We notified law enforcement when the incident occurred and are communicating with state Attorneys General from multiple states, who are evaluating the security incident. As a part of the state Attorneys’ General inquiry, Blackbaud has been asked to provide the names of those organizations whose data was a part of the data security incident."
It says they are working with AGs in multiple states and org names were requested. There is nothing about them notifying constituents. I'm also assuming by law that most orgs had to notify their respective AGs already.
1 -
Another question came up here - what about other fields where someone * might * have placed SSN or Credit Card number not in the correct location? Is there a way to scan data across the database to see if those type of numbers are stored in unexpected places such as notes? Is there a 3rd party software to do such a scan?0
-
I do not know of any way to scan the other data. If it is stored without tokenization and identifiable to potential hacker, I guess it could be exposed. If there's software to look for that it was probably developed by a hacker.
Our concern was what data along those lines could potentially be in any attachments, notes etc.0 -
Debbie Kelly and JoAnn Strommen take a look at https://www.spirion.com/. Using a backup of your database they can scan media attachments as well as Constituent Notes, Action Notes, Gift Notes, etc. for key phrases, words, number format strings, etc.. Searches could be done both for common HIPAA related terms as well as PII and financial related info.
Having managed databases for over 20 years I'd strongly encourage folks to take a look at their action notes, gift notes, gift reference field, constituent notes, and all attachments because I guarantee you there is stuff in there that shouldn't be. I've yet to meet a database that didn't have *something* in those places that shouldn't be there.4 -
Then this notification came yesterday and we confirmed it today. If you have Financial Edge/NXT, YES, YOUR organization's bank account number was compromised. They previously thought it was encrypted. It's not and won't be until end of October. Fast response, not. What's next?
Blackbaud notification
Situation: (Situation ID: FE Bank Account # in Treasury) We told you bank account numbers were encrypted; however, we need to clarify that the Bank Account field in the Treasury module of Financial Edge/Financial Edge NXT was unencrypted. This field stores your organization's bank account number. We intend to encrypt the Bank Account field of the Treasury module by the end of October. We have created instructions on how to query the Bank Account field of the Treasury module. Copy this link into your browser for those instructions: https://kb.blackbaud.com/articles/Knowledge/194365. Please contact Customer Support if you need help with these instructions0 -
Linda: How did you get that notification regarding YOUR organization's bank account info in FE NXT? Was it in response to direct questions you were asking Blackbaud? or was it a direct outreach from Blackbaud to you? We have FENXT and did not get that notification/update.0
-
If you were at BB user back in 2020 and dealt with the data breach you might find this article interesting.
4
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board