Blackbaud, a cloud software company that serves universities and other non-profit institutions, is being criticized for paying a ransom to cyber criminals to delete data they accessed in a ransomware attack.
“Funding cybercriminals in this way has many consequences: they may come back later knowing you have a willingness to pay, it may encourage others to attack, and notably it funds this bad actor to launch an attack on the next victim,” writes Tony Anscombe on We Live Security.
The extent of the exposure is not yet clear.
“The cybercriminal did not access credit card information, bank account information, or social security numbers,” Blackbaud says in its statement on the incident.
Presumably, that leaves names, email addresses and other personally identifiable information.
Nor did the episode “involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment,” Blackbaud asserts.
Britain's National Trust reports that the affected data includes name, date of birth, gender, address and contact details, according to Info Security.
The attack occurred in May.
Blackbaud writes that after discovering the breach, its Cyber Security team and independent forensics experts and law enforcement “successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.”
Prior to that lockdown, the attacked removed “a subset of data from our self-hosted environment,” it says. So the company paid.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud states.
It is easy to criticize a company from the outside. One can only hope that the exposed data has been destroyed. What does Blackbaud do if it hasn’t — file a breach-of-contract suit?