Photo by form. PxHere

September 29, 2020; WCBD-TV (Charleston, SC)

After many months of insisting that no bank account information or Social Security information had been accessed in a ransomware attack that occurred starting in late spring, yesterday, Blackbaud released a Securities and Exchange Commission Report revealing that further forensic investigation found that “the cybercriminal may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames, and/or passwords.”

As readers may recall, Blackbaud, a cloud computing company serving nonprofits, was hacked in May, a problem that has impacted not just many hundreds of organizations, but also their donors, students, and patients. The company has been slow in communicating the breach and its extent and has downplayed the problem while assuring the public that they have the matter well in hand. That does not seem to be the case.

Blackbaud continues its opaque communication, which some say attempts to normalize the massive hack, by saying that not every institution notified that their data was stolen had this kind of intimate data compromised, assuring all and sundry that “in most cases, fields intended for sensitive information were encrypted and not accessible.”

Apparently, the company has yet to contact those nonprofits whose donors and other stakeholders were so compromised, but even that means little, in that it took the company months to inform their customers of the hack.

Unfortunately, for those nonprofits who may have already assured donors their banking and Social Security information were almost certainly not compromised, this could be a costly hit, in that it could have an effect on their credibility as stewards.—Ruth McCambridge