Oh $%&@ - RE Data compromised
Options
Comments
-
This breach has hit the news in UK - https://www.bbc.com/news/technology-53528329. Now questions about notifications needed under GDPR in EU are coming up more. This story isn't done yet I don't think.2
-
My old university is right there on the list on the BBC article, so while my organisation's data might not have been included - my personal data might have ?0
-
Has anyone heard what organizations whose data was breached have in common? I heard a rumor that it was organizations that use Research Point - but I haven't found anything to substantiate that. Also, does anyone know what products were hacked (Education Management, Raiser's Edge NXT, Financial Edge NXT, etc.....)? Or was it all data by organization?1
-
On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.
Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.1 -
JoAnn Strommen:
On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.
Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.Azure - if you are hosted on Azure, that data did not get compromised, BB confirmed. Only the ones hosted on Blackbaud's data centers.
I'm curious about it being the Boston datacenter, because I thought we were assigned them according to location! There are 4 or 5, aren't there, around the world? I wouldn't have thought so much UK or Australian data would be stored in Boston. I remember when there were major issues with Boston's uptime a few years ago, folks talked about being hosted in Vancouver or Sydney (also see this KB for datacenter locations: https://kb.blackbaud.com/articles/Article/50641)
I can't see a common thread myself, but I don't know what all services might be used, and I don't use Facebook to have seen that one. There is a forum thread at AFP, and I imagine AASP, too. So far the list is heavily weighted towards educational orgs, but that could be sampling bias.
0 -
JoAnn Strommen:
On Fb there was speculation it was data hosted by Boston. Some comments also it wasn't those on Azure.
Large org here in our community had only their Research Point, not RE NXT. We had NXT and DonorCentrics. Didn't mention RP which we've used in the past. Seems like it has been varied from org to org.I've speculated it was the Boston datacenter as well. I also think it's been more legacy clients, and I think they are moving new clients directly into the Azure/AWS centers. Boston data center has had it's share of issues in the past. But it do find it interesting that there was a push to move clients to Azure a couple of months before this breach. Fortunately, my org was in that boat, so we didn't have our database compromised.
1 -
I had suspected Boston as well. It's the only server that hosts RE NXT (at least that was what I was told when I asked that we be hosted elsewhere due to the traffic issues we were experiencing). We are looking into moving to Azure for hosting. Has anyone had problems with it?0
-
Because I'm nosy and the question keeps coming up, and because it's a Friday afternoon, I sought out as many threads/discussions about this as possible here on the Blackbaud Community forums and on some of the professional forums I have access to.
I have counted a minimum of 78 organizations which have either come out and said they were affected or suggested as much through the question/reply context. Some replies to the threads were purely informative and did not suggest the org was affected, so I did not count them.
I found people asking about the breach in the following Community forums: Raiser's Edge; Altru; BBNC; Target Analytics; Church Management.
A lot of people I've spoken with are all irritated with how squirrelly Blackbaud is being about the number of affected clients and their unwillingness to provide lists of standard fields for the relevant databases. We understand that Blackbaud doesn't want to fully admit to the scope, because it's not a great story, and they'd rather not say "70% of our hosted clients have had their data stolen" because that will hurt the business. And folks are already shy to sign contracts with BB for various reasons - size (all that Big Gorilla salespitch tone), accessibility of the interfaces, and cost are the big ones I know of. But not being transparent - this reluctance to say anything, and the delay in even informing clients of the breach - is not doing anything to foster trust in BB or future relations with them.
There's a lot that I really like about Blackbaud and Raiser's Edge, and I've been using RE for nearly 10 years - I am excited about the updates to the interface and the potential in NXT. But this whole thing has really shaken my trust.
I'm hopeful that the management of the official response will turn around next week, especially after the BBC article. We're still working with our law team to determine our next steps, but I've already begun receiving email notices from orgs I've donated to who use Blackbaud services.
10 -
It seems that only services that live within the Citrix servers were affected. Even though RE:NXT may not use it the DB lives in a way to allow access that way. Same thing for FE / EE. It is all the legacy products. I am pretty sure we got moved out of Boston data center last year but I may be wrong. I also can't believe all of EU / UK is run out of Boston but I could be wrong. In Washington State we had to notify the state attorney general as well.0
-
Does anyone here have a header listing of all of the fields for RE/FE? I have been looking over all of the documentation, but also figure that someone here probably has done this already.
Thanks for any info you can provide.
-Mark0 -
Hi Mark,
Here is a list I created a long time ago for my policy and procedures manual. If you need to see your attributes and tables, you can pull that from Admin.
I've attached my list for you
Patti Posey
Stamford Hospital Foundation
5 -
Has anyone been able to talk to a live person at Blackabud to help get some answers? Our IT Department is looking for a technical person to talk to, but we are not having any luck.1
-
Like most everyone else here we are having trouble getting answers and figuring out exactly what data may have been exposed.
Our RE is locally hosted and the email we received only mentioned ResearchPoint. Anyone else in this situation? How are you trying to figure out which ResearchPoint fields were at risk?1 -
We had other data but have been in several conversations with orgs who only had Research Point noted in their emails. FWIW, those orgs (I know one said was after legal consult) are of the viewpoint that data in research point is public information, can be found through a variety of online sources. At this point they are opting not to do any notification. It is not required by their state laws.3
-
I am still somewhat in the dark as to what was breached. I am assuming names, addresses and birthdates but were gift amounts included in this breach. I have been on chat as well as looking over info on the website but am having no real luck.
Are organizations notifying their donors?0 -
Veronica Adams I got an email from my university telling me about the breach - we're in the UK, so they have to with GDPR and all.0
-
For those that sent out a notification how was it received by your consituents? We launched ours and I'm scrambling to throw together an FAQ we can link to our website in my response. We had ResearchPoint data involved in the breach. I feel like BB left us all scrambling a bit.4
-
Stacey Brake:
I had suspected Boston as well. It's the only server that hosts RE NXT (at least that was what I was told when I asked that we be hosted elsewhere due to the traffic issues we were experiencing). We are looking into moving to Azure for hosting. Has anyone had problems with it?There are Toronto servers as well with NXT. Most Canadian clients are on them now, but clearly not all of them.
0 -
Can someone confirm which servers were involved? Toronto, Boston, there is another in the states and I think maybe still one in Vancouver.0
-
I am wondering if I am missing something. If you received an email saying your data was breached, then all of it was breached, you should know what data you are tracking, no? If you are tracking credit cards in appropriate fields, then they should be ok. Why is everyone wondering what fields are in RE? Are people tracking sensitive info in inappropriate fields? Please enlighten me.0
-
Veronica Adams:
I am still somewhat in the dark as to what was breached. I am assuming names, addresses and birthdates but were gift amounts included in this breach. I have been on chat as well as looking over info on the website but am having no real luck.
Are organizations notifying their donors?Everything that you track in RE was breached, except encrypted credit card or payment information (provided you were tracking it only in the appropriate fields)
0 -
Not certain why people are asking. My assumption is that there powers that be / legal advisors are asking specifically what data was breached. Notification regulations vary from state to state and can depend on exactly what was exposed. (Example, North Dakota requires notification if DOB was exposed.) Many orgs are also assessing if data can be considered public information as it can be found/researched. Other than dba or data entry people, my guess is many execs/boards do not know exactly what data is stored in the software. Or what type of data is stored in attachments and with actions.
Just my guess based on conversations I've seen.1 -
Sarah OBrien:
For those that sent out a notification how was it received by your consituents?We have had several families ask to be totally removed from any databases. We are working through the issues with financial tracking if we remove records. We may end up having anonymous records with no data stored in the DB. Not fun to deal with.
1 -
Brian Hoyt:
Sarah OBrien:
For those that sent out a notification how was it received by your consituents?We have had several families ask to be totally removed from any databases. We are working through the issues with financial tracking if we remove records. We may end up having anonymous records with no data stored in the DB. Not fun to deal with.We are working through the same issue. To complicate it we have a few grandparents who asked to be removed, but they are emergency contacts. Not a big deal in RE, but now this becomes a cross platform issue and we need to figure out how to keep someone out of the system when we can't clearly identify them. ?
0 -
So to follow up on some of this - the question of attachments. Does anyone know if there is a way to query NXT to identify which records have attachments? I did not see anything in the knowledgebase.0
-
I don't know how you could query in RE to find all attachments.
Attachments could be on a note, media, proposal, etc. For note type might be random unless you have a specific note description anytime you've attached something. Media you may be able to tell by type which are a concern.
We know what types of attachments we have in the various places and info contained. We did not filter our BB breach notification based based on that much detail. We sent quite broadly.
Best wishes,0 -
With regard to the attachments on the Media tab, we link documentation from a shared drive; we don't embed the document in the record (We don't choose "Create New"; we choose "Create from file" and establish a link to the document). Does the backup copy pull in a copy of that documentation? Or is the link broken, as was the case when we upgraded to NXT from RE7?0
-
Rene Mayginnes:
With regard to the attachments on the Media tab, we link documentation from a shared drive; we don't embed the document in the record (We don't choose "Create New"; we choose "Create from file" and establish a link to the document). Does the backup copy pull in a copy of that documentation? Or is the link broken, as was the case when we upgraded to NXT from RE7?As best I know it would be broken. If the link was to a local (internal to your organization) server there would no way to access it simply from the RE DB backups that were stolen.
2 -
Brian, I hope that is the case so I don't have to worry about annuity documents or planned giving documents that may not have redacted account numbers.0
-
Regarding attachments - I was told that attachments to the Media tab, etc. were affected by the breach as well. My understanding is that RE makes a copy of the document, whether you create a new one or link to an existing one, and attaches it to the constituent's record. It then becomes part of the database. We used this feature in another database and the documents migrated with the data to Raiser's Edge. If it's a link to a document, wouldn't the link be broken if the document is moved to another location or the name changed? What if the document is deleted? I'm curious about how this works as well.0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board