A major ransomware attack has affected dozens of international NGOs and their records of private donations, but details of the hit on a US fundraising platform are scarce, and two weeks after being warned some aid groups are yet to notify their donors or the public.
International aid groups – and their private donors – are among those whose data was hacked in a security breach at online service provider Blackbaud. Names, addresses, and records of individual donations were compromised by hackers, who were paid an undisclosed ransom to return the data and delete any copies.
World Vision, Save the Children, and Human Rights Watch are among the large nonprofits impacted by the breach, and media reports suggest at least 200 customers of US-based Blackbaud were involved, although the company has not provided a list of affected clients.
Alan Bryce, an official at the Charity Commission – the legal regulator in England and Wales – told The New Humanitarian that, as of 4 August, 63 UK-based charities had notified them after being affected by the ransomware attack.
Bryce suggested NGOs were likely to tighten up procedures following the incident, in which hackers gained control of client data on Blackbaud’s systems and tried to lock the company out until payment was made. “Charities who have suffered cybercrime go on to revise their IT security, their training programmes, or their website security,” he said. “Do not wait until it is too late for your charity.”
Blackbaud declined to respond to questions, including how many customers were affected, referring TNH back to its 16 July statement, in which it said it had resolved the incident in collaboration with law enforcement in May. The firm said no credit card or social security details were affected. However, “the cybercriminal removed a copy of a subset of data from our self-hosted environment,” it said.
Blackbaud’s cloud-based products are used by nonprofits, from domestic charities to major universities, to collect funds and manage their communities: They power the donation pages of NGOs and the back-end management databases that keep track of their regular givers.
Some of Blackbaud’s 45,000 clients work in the international and humanitarian aid sector and have come forward to acknowledge the incident – including Save the Children, World Vision, CARE Canada, and Human Rights Watch.
Others, some contacted by TNH, appear not to have informed their clients, while some say they are still assessing the damage.
One affected group is Partners in Health, an international NGO best known for its work in Haiti. Based on notifications received from Blackbaud, it is assessing the extent of the breach, which of its private donors’ details were compromised, and what its response will be. Eric Hansen, director of external relations, told TNH: “We’re disappointed and are in the process of assessing which donors were impacted and appropriate next steps.”
Blackbaud emphasises that credit card and social security information was not compromised, and that the hackers agreed to delete the data. Nevertheless, it has told clients it will be monitoring the dark web to see if the data is in circulation.
Blackbaud has told some clients, reports say, that the hack started in February but was detected in May, adding uncertainty. Blackbaud users and analysts have criticised the company’s brief statement about the incident, and some have expressed incredulity about the hackers’ promise to delete the data after getting paid.
The full scale of the breach is unclear. Each NGO that has been compromised could have thousands of donors whose details may have been held in Blackbaud’s systems: Human Rights Watch says it has 40,000 worldwide, but declined to answer questions about the breach. World Vision reportedly has millions of individual donors, but had not responded to questions in time for publication.
Other groups that use the Blackbaud tools contacted by TNH gave a variety of answers: the NGO Direct Relief said, for example, that it was working to “quickly and diligently assess any required notifications to individuals and/or regulators”; Islamic Relief, MSF USA, Tearfund, the British Red Cross, and the Women’s Refugee Commission all said they were not affected by the breach – despite being Blackbaud customers.
The UN World Food Programme’s US fundraising arm told TNH it had been notified by Blackbaud that its data was compromised, but that the database was unused: It said it didn’t adopt the product despite purchasing and installing it.
Enquiries to other likely clients of Blackbaud – ShelterBox USA and the International Medical Corps – were unanswered before publication. Asked about UNHCR Canada, another likely client, Babar Baloch, the UN's refugee agency spokesman in Geneva, said: "We are not affected."
According to a former international NGO fundraiser who used Blackbaud’s tools, the types of systems that have been breached typically contain sensitive personal details, such as “how much somebody’s worth, and how much they give, and what kinds of projects they tend to give to”, as well as notes from calls and meetings.
The fundraiser told TNH the system can provide highly detailed profiles of individuals by aggregating data with details obtained from other charities and sources to target people with requests for large donations. As an example, “we used it to identify and then conduct face-to-face visits with older people to encourage them to leave us a bequest”, they said.
A cyber-security incident that dents the confidence of private individuals and discourages them from giving is the last thing the nonprofit sector needs right now, according to a senior NGO manager based in the United States.
The incident emerged as NGOs face a funding crunch due to COVID-19 and need to “pump” private donors who can still afford to help more than ever, they said, adding rhetorically: “Could this have come at a worse time?”
Requesting anonymity in order to speak on sensitive issues, the manager said that as a recession is threatening the jobs – and even the housing – of many Americans, discretionary charity donations are expected to dry up, and layoffs have begun, adding: “A lot of organisations are terrified right now.”
This explains why some NGOs have chosen to “issue a quiet statement” about the breach while they “figure out what actually happened”, the manager said, arguing that NGOs will be cautious not to draw more attention to the incident than is necessary. “If you know about it, it means you have to do something about it,” they said.
Blackbaud’s 2019 annual report contained this assessment of the risk of cyber-security: “A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others.”
The NGO manager said funding for cyber-security often gets shunted to the back of the queue when NGOs draw up budgets. For example, in the wake of Black Lives Matter, they said, “every organisation is hiring a DE & I [Diversity Equality and Inclusion] officer; cyber-security never gets the attention it deserves.”
* This story was amended on 5 August to say "tried to lock the company out" rather than "locked the company out" in the fifth paragraph, and a UNHCR quote was added lower in the story for clarification