Oh $%&@ - RE Data compromised

Options
13»

Comments

  • My curiosity got the better of me.  I found this article about attaching items to the Media tab (on the database view side) and found that if Blackbaud is hosting your database, then attached files files are embedded and not linked which means that they would be affected by the breach:

    https://kb.blackbaud.com/articles/Knowledge/46231?_ga=2.98811736.795329851.1596821105-1632816197.1583878162


    You also cannot export them which is a bummer.  Would have been nice to do that.
  • Thanks for researching that, Stacey. 
  • We are preparing our messaging to send to constituents.  We will be emailing a notification to those constituents with an email address and mailing a letter to those without.  I'm curious as to what other organizations are doing.  Are you notifying constituents via both email and mailed letter?
  • Stacey Brake‍  - we're not obliged to send out notifications but I did do my research in case.  Be sure you're checking on the requirements of your state, as well as the state of each of your donors, as they may be different.  If the data breached had required notification, we (in TX and it's a fairly lenient state) would have been required to send hard copy notices to all donors, even if we had emails available.  We could only send emails if no physical address was available.  Plus we would have had to report to the appropriate office within Texas about the fraud, and print notices of the fraud in local papers of our largest cities with constituents - all if we had more than a certain number of donors within Texas.  Only if a calculation of costs, or number of donors, reached a certain threshold set by the State of Texas, would we have been allowed to forego the hard copy mailing and send only an email. 

       However, remember that you have to follow the rules of the state in which your donor resides, so if you have donors in other states, you need to be sure you're following their regulations as well.  Most of these are fairly consistent with CA being the most stringent of all within the US.  The same threshold rules in the above paragraph would apply from state to state if you have large numbers of donors within multiple states.  Many educational institutions fit this model due to their alumni networks.

       If you have donors outside the US, then those rules are even more stringent and may require notification of that donor(s) even if it wasn't required within the US.
  • Thank you very much Meg Finley!  I will pass this along to my supervisor.  May I ask where you researched to get this information?  I would like to look up our state but wouldn't even begin to know where to look or the best verbiage to enter in Google!


    Thank you!
  • Stacey Brake‍  - use the Toolkit sent by Blackbaud in the original email that gives links for every state's laws.  Sorry to say, you need to read like a lawyer through all this legal code so get some help if you don't have the background for it.  We also consulted with our Tech Services Support who is certified in cybersecurity and was able to give general guidelines such as - you must notify donors according to the state/locale laws within which they live and not just according to the state where you are based.  


    We were blessed not to have any credit card, SSN, or any other personal information saved other than address, email, phone and donations - none of these raised to the level of Secure Personal Information by the legal definition of CA (most stringent) or TX (our location) law which we used as our litmus tests.  You need to know what you store in the unencrypted data fields of your breached databases.  If any of the Secure Personal Information, and usually it is two-pieces of information in conjunction that rise to the level of Secure PI, has been breached, then you are bound by law to notify your constituents that were included in the breach, what potential information was breached, and at what time.  For many educational and health institutions, their saved information falls into these areas, especially due to HIPAA laws.


    I hope this is helpful.


    Meg
  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Ancient Membership 2,500 Likes 2500 Comments Photogenic
    Stacey Brake‍ as posted - most of the info you're looking for is in the toolkits BB provided.  It includes info on finding your state regs.


    As Meg Finley‍ said, your requirements depend on your state laws. They vary greatly.  As we were sending to all, I did not research but I have seen posts stating that the requirements are based on your location, not that of each individual donors state of residence. Not sure which is correct on that point.


    We sent notice via email to all constituents with valid email and sent hard copy to others. 
  • The gift that keeps giving (not in the good way like recurring gifts) Blackbaud just sent an email saying they will be disclosing to state AG who is affected. In case you didn't want to inform your constituents now your state AG will for you.
  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Ancient Membership 2,500 Likes 2500 Comments Photogenic
    That's not quite how I interpret the email. Brian Hoyt‍ . From the email: 
    "We notified law enforcement when the incident occurred and are communicating with state Attorneys General from multiple states, who are evaluating the security incident. As a part of the state Attorneys’ General inquiry, Blackbaud has been asked to provide the names of those organizations whose data was a part of the data security incident."

     


    It says they are working with AGs in multiple states and org names were requested.  There is nothing about them notifying constituents.  I'm also assuming by law that most orgs had to notify their respective AGs already. 

  • Another question came up here - what about other fields where someone * might * have placed SSN or Credit Card number not in the correct location?  Is there a way to scan data across the database to see if those type of numbers are stored in unexpected places such as notes?  Is there a 3rd party software to do such a scan?
  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Ancient Membership 2,500 Likes 2500 Comments Photogenic
    I do not know of any way to scan the other data. If it is stored without tokenization and identifiable to potential hacker, I guess it could be exposed. If there's software to look for that it was probably developed by a hacker. 


    Our concern was what data along those lines could potentially be in any attachments, notes etc. 
  • Carlene Johnson
    Carlene Johnson Community All-Star
    Ancient Membership 500 Likes 100 Comments Photogenic
    Debbie Kelly‍ and JoAnn Strommen‍ take a look at https://www.spirion.com/.  Using a backup of your database they can scan media attachments as well as Constituent Notes, Action Notes, Gift Notes, etc. for key phrases, words, number format strings, etc..  Searches could be done both for common HIPAA related terms as well as PII and financial related info.


    Having managed databases for over 20 years I'd strongly encourage folks to take a look at their action notes, gift notes, gift reference field, constituent notes, and all attachments because I guarantee you there is stuff in there that shouldn't be. I've yet to meet a database that didn't have *something* in those places that shouldn't be there.
  • Then this notification came yesterday and we confirmed it today. If you have Financial Edge/NXT, YES, YOUR organization's bank account number was compromised. They previously thought it was encrypted. It's not and won't be until end of October. Fast response, not. What's next?

    Blackbaud notification

    Situation:
    (Situation ID: FE Bank Account # in Treasury) We told you bank account numbers were encrypted; however, we need to clarify that the Bank Account field in the Treasury module of Financial Edge/Financial Edge NXT was unencrypted. This field stores your organization's bank account number. We intend to encrypt the Bank Account field of the Treasury module by the end of October. We have created instructions on how to query the Bank Account field of the Treasury module. Copy this link into your browser for those instructions: https://kb.blackbaud.com/articles/Knowledge/194365. Please contact Customer Support if you need help with these instructions
  • Linda:  How did you get that notification regarding YOUR organization's bank account info in FE NXT? Was it in response to direct questions you were asking Blackbaud? or was it a direct outreach from Blackbaud to you? We have FENXT and did not get that notification/update.
  • JoAnn Strommen
    JoAnn Strommen Community All-Star
    Ancient Membership 2,500 Likes 2500 Comments Photogenic

    If you were at BB user back in 2020 and dealt with the data breach you might find this article interesting.


Categories