by Andrew Gogarty, Chief Security Evangelist
24 July 2020
A ransomware attack on Blackbaud, a hosted platform used by a number of educational institutions, has put the spotlight on incident response.
According to a statement on Blackbaud’s website, “In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment.”
However, according the press, the UK’s Information Commissioner’s Office (ICO) were only notified about the breach last week. If this attack occurred in May, this goes some way beyond the requirements of reporting a significant breach to data authorities within 72 hours of learning of an incident.
They paid the ransom demand in the trust that the criminals would destroy the data that was stolen as part of the attack. This is against the best advice of information security professionals, as well as law enforcement agencies such as the FBI and Europol.
What is more concerning is the belief that by paying the ransom, the cyber criminals would destroy the stolen data. Most people would think criminals are typically not the most trustworthy of individuals.
There are not enough data points available as of yet to draw a full conclusion on what happened and what went wrong, but it is safe to say that this is yet another example that organisations can learn from around the importance of having effective and consistent visibility and control over your (and your customers’) data and the systems used for data storage and exchange.
Organisations need to ensure sufficient protection over sensitive data at rest and in transit so paying a ransom is not an option they need to consider in the first place.