The trickle of notifications has continued into September from Maine nonprofit groups saying donors’ sensitive personal information may have been compromised in a massive data breach that occurred months earlier.
In February, hackers got into the files of Blackbaud, a South Carolina company whose products include online fundraising software widely used by nonprofits. The company detected the breach in May and stopped the intrusion, but it didn’t begin notifying clients about the incident until mid-July.
Last week, LifeFlight of Maine informed donors and others that it, too, may have been compromised in a ransomware attack on Blackbaud. A handful of other Maine nonprofits issued similar notifications in August, including Northern Light Health Foundation, The Opportunity Alliance and Maine Cancer Foundation.
Cybersecurity experts say the breach wasn’t as bad as it could have been, because the criminal activity was detected before Social Security numbers and credit card information could be taken. Still, Blackbaud ended up paying the criminals to destroy the data they managed to steal, which may have included names, addresses, passwords and other personally identifiable information.
According to Blackbaud, the breach occurred via an all-too-familiar ransomware attack, designed to bottle up all the information on Blackbaud’s computers and release it only when a ransom was paid, usually in Bitcoin cryptocurrency to an overseas account. Although that effort was thwarted, Blackbaud said, the hackers already had taken some information, and the company ultimately paid the ransom to the hackers to get them to destroy data they had already taken.
Blackbaud said it has since patched the security hole that exposed some of the nonprofits’ information, including data on donors, but it has refused to say how much ransom it paid and said the company is certain the data was destroyed after the payment was made.
The information included some names and contact information for donors, but both Blackbaud and its nonprofit customers said no financial information was exposed in the data breach.
The LifeFlight Foundation, which supports Camden-based emergency helicopter service LifeFlight of Maine, was the latest organization to report that its data had been compromised by the breach, sending out an email to donors on Tuesday.
Anna Dougal, director of development for the foundation, said her organization was notified of the breach by Blackbaud in mid-July and has been working with the company to try to determine the extent of the damage. She said the hackers got some fundraising, demographic and contact information on donors, but no bank account or credit card numbers.
Dougal said she and Blackbaud were able to determine that the hackers had not been able to access some of LifeFlight’s encrypted information, and that the company and law enforcement officials have gone looking for some of the data that was stolen and have been unable to find it on illicit websites where such information would normally be sold. She said Blackbaud officials told her that’s why they believe that the hackers did, in fact, destroy the data after the ransom was paid.
As with other nonprofits in Maine, LifeFlight hasn’t gotten reports from any of its roughly 20,000 donors indicating that their information was compromised and used.
Dougal said LifeFlight felt more comfortable storing its data on Blackbaud’s systems rather than on its own computers, where it might be accessed more easily by hackers.
There are other companies that offer the same services as Blackbaud, she said, and LifeFlight is considering its options going forward as a result of the breach.
“As of now, we are definitely taking some time to reevaluate,” she said. “We’re going to take a good, hard look at whether we want to go forward with them.”
Lily Lynch, vice president of development and communications at South Portland-based nonprofit The Opportunity Alliance, said her organization is always reviewing its relationships with vendors, but she said the nonprofit hasn’t made any decision to drop Blackbaud.
Lynch said it’s a particularly vulnerable time for nonprofits to face this kind of problem because of the disruptions and challenges posed by the coronavirus pandemic.
“To prey on nonprofits … is really unfortunate at a time when people are really in need,” she said.
The Opportunity Alliance notified donors of the data breach in mid-August, and Lynch said the organization hasn’t heard from any donors reporting that their bank account or credit card numbers were stolen, or that any unauthorized transfer attempts were made.
The organization uses Blackbaud for a system that helps maintain lists of donors and their contact information and other data, such as when they were last contacted to seek a donation.
Lynch said donors have been supportive and aware that ransomware attacks are becoming common. Police departments, town governments and others around the country have reported paying ransom money to hackers to regain access to their computer systems.
Northern Light Health Foundation, based in Bangor, notified donors and others on Aug. 5 that it was one of thousands of hospitals, health care systems and other nonprofit organizations, including several in Maine, affected by the breach at Blackbaud, which hosts its fundraising databases.
The affected databases contain information about donors, potential donors, those who may have attended a fundraising event, patients who it believes may want to support the organization, and others in the community with whom it has relationships. The foundation’s parent organization, Northern Light Health, which operates Mercy Hospital in Portland as well as several other health care facilities around the state, maintains its electronic health records separate from the foundation, it said.
Foundation spokeswoman Suzanne Roach Spruce said in an email Sunday that the organization has been talking to donors about the breach and answering the questions it can. It also is engaged in ongoing conversations with Blackbaud to fully understand the situation and expects to be sending letters to donors in the coming days, she said.
Spruce said that according to Blackbaud and to the best of the foundation’s knowledge, the stolen information has not been used inappropriately. As far as whether it will continue to do business with Blackbaud, that issue has not yet been decided.
“Obviously there is concern, and there will be continued discussions, but … no decision about our future relationship with Blackbaud has been made one way or the other,” she said. “The confidentiality, privacy and security of information is our highest priority, and we take this incident with our vendor, Blackbaud, very seriously.”