
Blackbaud hack: More UK universities confirm breach - AznHisoka
https://www.bbc.com/news/technology-53528329
======
KineticLensman
I received an apology email from my Alma Mater. Here's an extract. The last
para makes an explicit statement that Blackbaud paid the ransom.

 _On Thursday, 16 July, we were made aware of a security incident involving
one of our third-party service providers, Blackbaud._

 _Blackbaud is one of the world 's largest providers of customer relationship
management systems for the higher education and not-for-profit sectors._

 _It informed us that in May it had discovered and stopped a ransomware attack
on its systems, although some data was compromised. A number of universities
using its services have been affected, including the University of Leeds._

 _The company assures us that data compromised in the incident was
comparatively low risk and did not contain any password, bank account or
credit card information._

 _We are continuing to work closely with Blackbaud to determine exactly what
personal data was compromised. We understand that other clients of Blackbaud
have been affected in different ways, with varying types of data involved. In
our case, it appears that names and email addresses for some members of our
alumni and supporter community were affected. Information on the sums given as
gifts or event payments through the alumni web portal, Leeds Alumni Online,
may also have been affected, although not any bank account or credit card
details. As we understand that you haven’t used our website to make any
financial transactions, this aspect will not affect you._

 _Blackbaud paid a ransom to the cybercriminal and received assurances that
the stolen data was destroyed and not used or sold on to third parties.
Blackbaud says that – based on the nature of the incident, its research, and
investigation by third parties (including law enforcement) – it has no reason
to believe any data went beyond the cybercriminal, was or will be misused, or
will be disseminated or otherwise made available publicly._

~~~
heavenlyblue
> No reason to believe it went beyond the cyber criminal.

They have a really corporate sense of humour.

~~~
thinkingemote
It's bizarre but these criminals need to establish trust generally.

If victims believed that a ransom wouldn't do anything they would not pay them
as much.

I think there's a parallel with kidnapping in some countries, it's almost
business like.

~~~
toyg
You can bet that if kidnappers could make an identical copy of the victim in
order to profit from him further down the line, most of them would.

I fully expect this data to surface in a year or so.

~~~
heavenlyblue
Can you imagine having a Chief We-have-been-pwned Officer who is responsible
for building relationships with criminals so that they would actually delete
your data rather than resurface it years later when nobody remembers (not even
you) you having lost it?

------
omerhj
The ACLU has been affected as well. From the email they sent out yesterday:

 _In all candor, we are frustrated with the lack of information we 've
received from Blackbaud about this incident thus far. The ACLU is doing
everything in our power to ascertain the full nature of the breach, and we are
actively investigating the nature of the data that was involved, details of
the incident, and Blackbaud's remediation plans.

We are also exploring all options to ensure this does not happen again,
including revisiting our relationship with Blackbaud._

~~~
amandahugg
Throwaway account - I am in charge of IT from one of the universities affected
and am angry at how blackbaud has been so slow at communicating this to us.
Even when we asked them the exact fields/data that was stolen they just gave
us vague answers.

Our contract with them ends soon and we will definitely not be renewing when
it’s up.

~~~
jacquesm
Such a breach could easily count as reason to annul the contract.

~~~
guitarbill
true. but it usually isn't worth the effort, as that would involve getting
lawyers involved. easier to not renew.

plus most places will need some time to put an alternative in place. it's
commendable if anybody manages to convince management and does this though.
inertia and i imagine blackbaud did provide significant value/functionality?

------
cnorthwood
This must be phonetically confusing to the very different piece of software
also used a lot in the HE sector: Blackboard.

I have also received this from the University of York. The timescales in play
here seem terrible from Blackbaud's discovery to initial report.

~~~
save_ferris
> The timescales in play here seem terrible from Blackbaud's discovery to
> initial report.

That’s going to keep happening until someone gets the book thrown at them for
slow-walking a response. I know this is a pretty anti-regulatory crowd, but we
can’t expect this behavior to change if there are no consequences.

~~~
zepto
Consequences don’t have to be regulatory.

How about an opt-in scoreboard or ratings system for responses, with some
objective criteria?

Regulation would need to be based on objective criteria anyway, so why not
develop them as an industry?

~~~
save_ferris
You think a ratings system would deter companies from misbehaving?

The credit rating agencies have some of the lowest consumer confidence scores
in the entire country, and yet Equifax suffered no consequences from its
massive breach a few years ago.

Also, your suggestion is opt-in. Why would any company volunteer themselves to
be scrutinized in such a faux way?

~~~
zepto
I agree - credit ratings companies are garbage.

But it doesn’t follow that all rating systems will be garbage for all time.

The rating system would not deter misbehavior. ‘Misbehavior’ in this case is
just competence. The rating system would give clients some transparency into
the competence of the service provider.

Any company that was confident in its processes would volunteer for scrutiny
because it would be positive for their credibility, just like other
independent certifications.

The question would then become - why would a customer choose an unrated
company?

------
lol768
For those unfamiliar, Blackbaud produce software that is (mainly) used for
harassing^W updating alumni on university developments and asking them for
money.

I think Raiser's Edge is used quite a bit in the sector, though I believe
there are on-prem as well as cloud variants of the software?

~~~
Nextgrid
How does asking for money make sense in case of for-profit, paid universities?
You're saying that people pay them a significant amount of money for tuition,
complete it, and now the university is asking for more money?

~~~
mbiondi
Yes, this a big part of how Colleges and Universities are funded.

Alumni tend to contribute either to leave a legacy behind or to help the
College maintain it's reputation, which in turn helps the alum's reputation
for having graduated from there.

~~~
gruez
>to help the College maintain it's reputation, which in turn helps the alum's
reputation for having graduated from there.

Surely this can't work without some aultrism involved? I find it doubtful that
any alumni can get 10k of benefit from the increased reputation that a 10k
donation can provide.

~~~
toyg
It’s the sort of transaction that typically lowers your taxable, effectively
saving money to the donor.

~~~
frobozz
That's not how reducing your taxable income works.

If you earn 50K, you net 37640. 51K and you get 38220.

If you earn 51K and donate 1K, you net exactly the same as if you just earned
50000. i.e. 580 less than if you had just kept it (If you had put it in your
pension instead, you would have kept the whole 1000)

There may be some circumstances where it makes a difference, where certain
thresholds could be crossed, but AFAIK, the way they all taper prevents that.

You can only get a tax break on 40K of pension contributions, so if you earn
91-101K and claim child benefit, without another pre-tax vehicle to soak up
the rest, you'd have to pay the clawback charge. However, I doubt that would
work. With 3 children you'd have to donate 10K to save about 2.5K.

If you earn something around 300K, it might do something because of the
tapered pension allowance. Again, I doubt it. At 250K, if you donate 10K, you
can put an extra 5K in your pension. Above that, I don't think there are any
more thresholds.

~~~
toyg
You assume the funds are disbursed by individuals rather than vehicles, you
don’t specify which legislation you’re considering, etc etc etc. I don’t think
you have enough facts here to start crunching numbers. In the UK for example
there is Gift Aid for individuals: [https://financial-
coaching.co.uk/blog/post/self-assessment-a...](https://financial-
coaching.co.uk/blog/post/self-assessment-and-tax-relief-on-charitable-
donations)

A number of schemes exist around various countries to promote incentives to
donate, and they typically end up with people paying less tax overall than
they would otherwise. (Note: I don’t think it’s a bad thing, no critique
meant).

~~~
frobozz
Yes, you pay less tax overall, but the reason for that is that the money is
treated as having been given to the charity pre-tax. It does not make your net
income go up.

In the illustration in your link, Sue gives 1k to charity, and as a result,
and pays 350 less tax. This means that, as a result of this donation, her net
income has fallen by 650.

I did not provide the specific names of all the rules, but I thought that
would be obvious from the numbers, context, and some of the terms

I had not considered the difference between payroll giving (my first
example,give 1k before tax, charity gets 1k, your taxable income is 1k less),
and claiming back (you give 1k after tax, charity gets 1.25k, you reclaim some
of the tax you paid), but payroll giving is more efficient for the donor, as
they pay zero tax on the donation, rather than basic rate, as in the reclaim
method.

There is no UK legislation, as far as I know, that reduces your tax bill by
_more_ than your donation.

~~~
frobozz
Briefly, my point is that tax efficient charitable donation schemes can only
be said to benefit the donor if you start with the assumption that part of
their lifestyle includes the charities getting a certain amount. E.g. if I
want the charity to get 1.25k, I only have to spend 1k for that to happen.

The schemes amplify the effects of existing altruism, rather than offering
incentives to persuade non-donors to donate.

------
timothevs
Not at liberty to say which Unis, but this is much wider than initially
reported. A lot of American universities were affected as well. They are still
measuring the fallout, and how best to respond. We were only told last week.

------
IshKebab
Wait they paid a ransom for the hackers to "delete" a _copy_ of the data?
That's insane.

~~~
jeroenhd
If the hackers don't delete the data and use it for something else, nobody
will ever pay them again.

Most cryptolockers and other random criminals do exactly what they promise
because if they don't, their business model will collapse. All of the stolen
info isn't worth nearly as much as what universities are willing to pay out if
you keep your promises.

It's wicked, but these criminals do have a business incentive to be nice.
Their next target will probably pay again if they act smart.

~~~
smichel17
I wonder if a university could protect themselves from this form of attack by
amending their bylaws (or some other similarly legally-binding-and-hard-to-
amend policy) to say, "We will not pay any ransoms for X, Y, or Z", and then
publicise that decision widely, so any potential criminals know that there's
no money to be made in targeting them.

~~~
jeroenhd
It might, unless the attackers see it as a challenge. Many types of
cybersecurity insurance won't pay out if you don't or will be more expensive
than paying out, so it also might be an expensive bet to take.

The problem is that smart criminals don't directly attack a single corporation
or university, they'll attack a SAAS/IAAS/PAAS provider many of their
potential targets use and see what they can get out of the data. In this
instance even one university paying out would probably be enough to offset the
risk and cost of the criminal operation.

In many cases, paying out is also the economical choice to take, especially in
ransomware attacks. Even if backups were made, tested and recent, paying a
million here and there might still be worth it if not doing so would cost
weeks or even months of work and employees and students lacking IT services.
With modern education being run like a business, I'm not sure if it'd even
make sense to bet on such a statement to be worth it. You may shoot yourself
in the foot when you eventually do get hit and you need to either spend lots
of time and money or break the promise you made on your website (betraying
your employees and students in the process by showing that you cannot hold up
the values you claim to have).

------
arethuza
Our son is at Exeter University and they notified me a couple of days ago
about this - they identified Blackbaud as the service that had the problem.

~~~
iso1210
Yup, we received emails from them about it - we graduated nearly 20 years ago.
I guess that's the price you pay when you say "yes, send me an alumni email
every so often"

------
kbutler
The individual party incentives in ransomware are all to pay it, which
encourages future attacks, only the long-term, societal view discourages
payment.

The victim (individual organization or SaaS provider) wants to just have it
end.

The ransomer has the incentive to build the pattern of "pay the ransom and
nobody gets hurt [in this incident]", because it builds the business model.

Cybersecurity insurance exacerbates the problem, because the insurer knows
that payouts solve the incident for the insured at a relatively low cost, and
that each incident perversely increases the need organizations have for the
insurance.

Conversely, if no one pays ransoms, it immediately ceases being a viable
criminal business model.

------
smart_jackal
I've read in some article that insurance companies are actually encouraging
the hackers by forcing their insured victims to pay the ransom instead of try
to recover on their own or fight back the hackers in any way.

~~~
JackFr
That’s the way it works with liability insurance — if you want the coverage,
it’s up to them, not you whether you settle or fight. But one would hope in
the insurers are smart enough not to encourage bad behavior.

------
JackFr
I’m sure the appropriate sanction for Blackbaud would bankrupt the company.
While that is probably the best outcome long term, it doesn’t help anyone now.

------
aronpye
How was trusting the word of a bunch of criminals, with no reason to follow
through with deleting the data, the correct course of action? Isn’t a failure
to disclose what data was comprised, and how, a breach of GDPR?

~~~
AznHisoka
I forgot the exact GDPR laws but I think if they failed to disclose the
security breach within 3 days of discovery they are subject to a fine of 4% of
their revenue.

~~~
scaryclam
Up-to 4% of their global revenue or €20,000,000 whichever is higher. Those are
the maximum fines they can levy (per incident), but in reality it's very
unlikely to be that high.

And yes, you are correct, organisations have 72 hours to disclose the breach.

The various data protection offices (such as the ICO in the UK) usually try to
work with organisations first. If Blackbaud aren't playing ball though, they
may be in for a rough ride (assuming that they actually operate where the EU
has jurisdiction that is).

~~~
TimLangley
Slightly nitpicky but the 72 hour piece is wrong here

A data controller has 72 hours to notify the ICO (or other supervisory
authority). A data processor has no such obligation [unless specified as part
of the data processing agreement DPA]

Most DPA will state asap s.t the controller can notify

But in this instance Blackbaud would almost certainly be a processor

(It’s a neat [nasty] little loophole

~~~
jacquesm
Article 28 makes it a requirement that the processor and the controller
arrange for this notification requirement to be arranged between them. A
failure to do so by the processor would likely make them liable. The processor
is only able to discharge itself from this liability _if_ they notify the
controller promptly.

For more reading on this:

[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-
breaches/)

