The donor list of the Vero Beach Museum of Art – containing detailed personal information on many of the island’s wealthiest and most noted philanthropists – was stolen by cyberthieves as part of what may have been the largest global hack of the data of nonprofits in history.
The thieves got the information as part of an attack for ransom on Blackbaud, a Charleston, S.C.-based technology provider which provides hosting services to dozens of universities, museums, schools, churches, charities and Britain’s National Trust.
Blackbaud ultimately paid an undisclosed amount of ransom and claims that the thieves destroyed the stolen data when the Bitcoin ransom was paid. But it is unable to provide any proof of that, some clients complain.
Vero Beach Museum of Art Executive Director Brady Roberts sent out an email to members and donors last Thursday informing them of the breach.
He assured members that the cyberthief “did not access your credit card information or bank account information as we do not retain this data after a transaction is processed.”
But the stolen file may have contained “contact information, demographic information, and a history of your relationship with our organization, such as donation dates and amounts.”
The BBC said stolen donor details in some cases included:
n Estimated wealth and identified
n Total number and value of past
donations to the organization in
n Wider history of philanthropic
and political gifts;
●n Spouses’ identity and past gift
n Likelihood to make a bequest
triggered by death.
This information would be valuable to fraudsters, Pat Walshe from the consultancy Privacy Matters told the BBC. They could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.
“We don’t know how many people may have been affected but we have contacted all our 5,500 members,” said the museum’s director of communications, Sophie Bentham-Wood.
Roberts suggested museum members keep a close eye on bank accounts and credit cards, and report any suspicious activity or suspected identity theft to their financial institutions or credit card companies as well as to law enforcement.
Despite the large number and the size of the attack, few have come forward to express concerns. “To date, I have received less than a handful of calls about the incident,” said Bentham-Wood.
“Blackbaud is the global industry sector leader for nonprofit software hosting services, and we have had no known issues in the past,” she added. “They are continuing to monitor the dark web with their forensic teams closely, and should we be alerted to anything further, we will be sure to communicate this to our members.”
Colleges from the University of York in the U.K. to the University of Texas at Austin and Rhode Island School of Design were affected by the hack, as were such well-known organizations as Planned Parenthood, the Boy Scouts of America, the George W. Bush Presidential Center, Human Rights Watch and New Hampshire and Vermont Public Radio. Blackbaud serves 45,000 nonprofit and government customers in 100 countries, according to The NonProfit Times.
The hack took place in Blackbaud’s self-hosted environment, where clients store files. The attack, which began in February and continued for three months, is only now coming to light, a timeline that several organizations involved in the breach are questioning.
“At first glance, the … timeline may cause some customers to question the expedience of our response,” a Blackbaud official told The NonProfit Times. “An investigation and detailed forensic analysis were needed in order to confirm the scope of the incident, to pinpoint which customers were involved and also how they were involved. And our top priority was to stop the cybercriminals and expel them from our system, which was also part of the timeline.”
Because the vulnerability was fixed, Blackbaud went on, the risk of information exposure did not increase during its lengthy investigation.
Blackbaud says it realized something was amiss in mid-May, when there was a suspicious log-in on an internal server, according to The NonProfit Times. Forensics experts and law enforcement were called in, the company said. Activity ceased by June 3, but the hacker pressed on with a Bitcoin ransom demand and, on June 18, finally divulged what files were involved.
Blackbaud, which paid the ransom in exchange for the hacker agreeing to destroy the stolen files, started notifying customers in mid-July.
The hacker was unsuccessful in installing ransomware that would lock the company’s clients out of their server.
The Vero Beach Museum of Art was built entirely by philanthropy and opened debt-free in 1986. Since then, it has amassed a collection of 880 works, most if not all donated or purchased by donor funds. The museum’s membership of 5,600 households includes a number of seasonal Vero Beach residents whose generosity extends to national and international good works.
One section of Roberts’ emailed letter came verbatim from Blackbaud’s own statement:
“Based on the nature of the incident, (Blackbaud’s) research and third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”