Norwich — The giant fundraising software company Blackbaud, which handles Otis Library’s donor data, was hacked by ransomware cybercriminals earlier this year and paid a ransom to ensure the stolen data was destroyed by the attackers, Blackbaud officials have disclosed.
Otis Library sent letters to donors this week informing them of the cyberattack and ensuring that the stolen data did not include sensitive credit card or bank account information. The letter did not mention the ransom payment, and Blackbaud has not disclosed the amount paid through Bitcoin, according to a story by the business publication The Nonprofit Times. The Nonprofit Times article also stated Blackbaud has been working with FBI officials in South Carolina on the investigation.
Blackbaud officials issued a statement to The Day on Tuesday in response to questions about the attack involving Otis Library donors, with a link to an explanation of the incident on the company’s website, www.blackbaud.com, and to two Nonprofit Times stories. The company declined to comment further.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” Blackbaud’s email statement said. “Their motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.”
In an update on its website dated Tuesday, Blackbaud said the cybercriminals “did not access credit cardholder data,” but said further forensic investigation found that for some of the notified customers, “the cybercriminal may have accessed some unencrypted fields intended for bank account information, (Social Security) numbers, usernames and/or passwords.” The new finding applies to only some of the affected customers, who were contacted this week and provided additional supports.
The letter sent to Otis donors this week stated the cybercriminal did not access bank account or credit card information. “However, the file removed may have contained your name, mailing address, telephone number, donation dates and amounts.” The letter stated the company has received confirmation that the information was destroyed.
Otis Library Director Robert Farwell said the letters to donors, on Otis Library stationary and signed by Farwell, were sent by Blackbaud to anyone whose information was included in the database hacked. Farwell said he even received the letter at his home.
Farwell estimated that possibly more than 1,000 Otis donors received the letters.
“We were apparently one of a much larger pool of other nonprofit institutions affected,” Farwell said. “Hospitals, treatment centers spread over the Northeast.”
Blackbaud told The Nonprofit Times the attack apparently occurred Feb. 7 but was not detected until May 14 by Blackbaud staff, who noticed unauthorized access to the system. Blackbaud started notifying affected customers in July as the criminal investigation ensued.
“We sincerely apologize that this happened and will continue to partner closely with our customers as we jointly navigate this cybercrime incident,” Blackbaud’s website stated.