Anonymous hackers have accessed data containing the personal information of donors to several hundred cultural institutions, universities, and charities in the US and the UK, including the Smithsonian Institution and the National Trust.
The data was copied in a ransomware attack on May 14 targeting Blackbaud, a third-party cloud software company that works with some 25,000 institutional clients around the world. According to Blackbaud, which shared news of the attack with its clients on June 16, the compromised data was limited to demographic information such as names, addresses, phone numbers, and donation summaries, and did not include credit card information, bank account information, or social security numbers.
“Blackbaud reported to us that it quickly and properly neutralized the threat,” a Smithsonian representative wrote to members of the museum’s email list. “We will continue to investigate to confirm Blackbaud’s assurances.”
“We take data protection extremely seriously at the National Trust,” National Trust CIO Jon Townsend wrote in a similar email published by . “We’re looking again at the security of how data is managed and working closely with Blackbaud to discover exactly what happened.”
Also among the other affected organizations were the Parrish Art Museum in Water Mill, New York, and the Corning Museum of Glass in Corning, New York. Some 200 Blackbaud clients are believed to have been impacted, including 16 US universities, according to Inside Higher Ed, and 33 British charities, according to the BBC.
“Like many of Blackbaud’s 25,000 institutional customers around the world, the Corning Museum of Glass was impacted,” a museum spokesperson told Artnet News in an email. “The museum does not keep credit cards, bank accounts, or social security numbers in the system hosted by Blackbaud, and has alerted its affected constituents to the breach.”
In an email to members of the Parrish’s email list, Chris Siefert, the museum’s interim director, confirmed that some of the information the institution stores in its Blackbaud system “was accessed by a cybercriminal,” but said that financial information had not been compromised. “We nevertheless are reporting this incident out of an abundance of caution and ask that you remain vigilant for any suspicious activity.”
Blackbaud also provides services to hospitals and nonprofits that were also affected by the data breach.
Other art museums listed as clients on the company website are the Speed Art Museum in Louisville, Kentucky; the RISD Museum in Providence; the Autry Museum of the American West in Los Angeles; the Carnegie Museums of Pittsburgh. Those museums did not respond to inquiries from Artnet News.
“It’s very important to do your homework when choosing a third-party provider and trusting them with your data. Remember, you are not only trusting third parties with your customer data, but also with your reputation,” Tyler Cohen Wood, a cyber-security consultant and the former cyber deputy chief of the Defense Intelligence Agency, told Artnet News in an email.
“Make sure you know exactly how your data is secured, how the ‘crown jewels’ are protected and who is responsible for cybersecurity events and what they will and won’t do in the event of a data breach.”
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” said Blackbaud in a statement.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Blackbaud’s cybersecurity team worked quickly to stop the hackers from encrypting its servers and locking the company out of the system, but the cybercriminals did manage to copy a subset of client data during the attack. To ensure that data was destroyed and not shared, Blackbaud paid the hackers an undisclosed ransom in Bitcoin, according to the .
“What I find unsettling about Blackbaud’s situation is that they just took the hackers at their word that the stolen data was destroyed. In my experience, hackers almost always leave behind hard-t-find malware so that they can still access the system,” said Wood.
She advises that museums employing third-party providers familiarize themselves with the company’s procedures for handling ransomware attacks and to have secure data backups, even if that means paying extra.
“We have implemented additional measures to prevent this issue from happening again. We regret and apologize that this has caused unplanned effort for some of our customers as they process this information,” Blackbaud president and CEO Mike Gianoni told the . “We are partnering with the subset of customers who were part of this incident to make sure they are briefed and well supported.”