Data Breach - Written confirmation from Blackbaud that we were NOT part of the breach?

Rob Cameron

First, let me say that I am so very sorry for those who were part of the recent data breach.  This includes Blackbaud customers and Blackbaud itself.  Not cool at all, but part of the world we now live in.  I am also internally grateful we were not part of the breach (as far as I know).  


I haven't been super happy with the way that Blackbaud informed us that we are not part of the breach. And what I mean to say is that we were never informed.  Only organizations where their data was breached have been contacted.  The rest of us are left wondering if they missed us or it fell into spam.


When I reached out to the Blackbaud hotline, they diligently took down my information but a full week later they have not got back to me.  Clicking on the breach link shows me a zebra blowing a whistle and I am told by my customer success team that this indicates we were not part of the breach LOL.


I have asked for written conformation (on Blackbaud letterhead) of this but I am told I cannot have one due to security/privacy concerns...?


Due to this, from a Board perspective, I do not feel I have sufficient evidence to say that our donor data was not compromised.  Has anyone been able to talk Blackbaud into providing written confirmation that their data was no compromised?  Am I asking for too much?


Any insight/help would be appreciated!


PS. And speaking of not asking for too much - is it too much to ask that a breach of this magnitude be made public sooner than two months?

Cliff OnTheRoad

Insight; a  company may not want to create a hard copy letter, prefering to use internal email and when that is also not desired, they resort to "call us" which, like IRS advice (documented) may not yield accurate answers.

When your quote of " due to security/privacy concerns " was read, it reminds me of the FireFox upgrade malware several years back when companies were saying "not reproducable" and the URL registering company would not release (nor stop) one man from creating names/accounts daily (which cost him nothing as 4 days after non-payment, the name was unregistered, which was 2 days after the URL was no longer needed), PLUS the company which hosted the malware code, in Florida, also would not do anything citing "privacy issues". I spent a lot of time researching this and it is frustrating to hit a stone wall, so the lesson here is to hope you never have another data breech. BTW, the hosting computer company had no control over the user code, according to the privacy of their client, hence my warning/feedback fell on deaf ears in the interest of making money.


Lesson #2 would be that the wording on web sites, and contracts containing "our primary concern" and "world class" are not guarantees. Even "we work with ..." is more marketing. I remember when MicroSoft and NBC news announced their MSNBC site was ready to go. I'm one heck of a beta tester. My response, after a brief inspection, was feedback "Let me know when you're finished" because IMO it wasn't ready for release. MS is big but it doesn't make them perfect.


Computers are complex extensions of Human Engineering. Or should be. HE is without an adjective. A product has it or doesn't. When the industry does not question when data TRANSMISSION in the Mega/Gigabyte range all the time is allowed, while a 28.8 Kb modem would be safer, the tricycle industry would see no downside to installing a 6 HP motor either.


Since the official page says it was confirmed the stolen data was purged, you have to take their word for it. Fret not. I want to know how initial entry was made to the system so others can learn from it. You'd be surprised how a phone call from another department is the premise, or email attachments no matter how often you warn employees.