Students and academic staff have a lot on their minds right now.  From fluctuating exam results to the pandemic that is strangling academic tranquillity nationwide. It has been a tough year for the education sector. But the recent data-breach by software developers ‘Blackbaud’ seems to take the biscuit in the anxiety race. As a former student I wanted to find out what went wrong.

The story so far

Blackbaud, which oversees the gateway services to many educational institutions, admitted in a recent statement that it had paid an undisclosed ransom to cyber criminals in an attempt to regain control of its clients’ personal data which had been encrypted in a ransomware attack earlier this year.

The attack was carried out by cyber criminals and targeted the sensitive data of people  associated with a number of Universities and Charitable organisations.  Both present and previous students and educational personnel are said to have had their data compromised.

The software developer’s mishandling of this data breach has made news all around the world with their lack of transparency being mentioned frequently.  The data breach, which is now believed to have affected in excess of 150 institutions worldwide (according to the Information Commissioner's Office), was discovered in May of this year but Blackbaud have only recently disclosed the attack to the general public, and those affected. That  has angered various parties and damaged the reputation of the software giant, not to mention violating industry practice and, some say, the law.

Blackbaud confirmed the speculative payment recently with the following statement:

 “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. … We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.” 

The deadly sins

This is where things get even stickier for Blackbaud. While trying to maintain the privacy of their clients, the tech company has committed 2 deadly sins within the world of cyber security.

Sin 1:

•  Blackbaud paid a ransom.  It is widely accepted that companies that are experiencing extortion related hacks should not comply with their attackers’ financial demands. 

In paying a ransom they have put the power in the hands of the criminals and have set a negative precedent which will affect the cybersecurity industry long term.  Future potential attackers will look at the Blackbaud data breach of 2020 and their subsequent payment as a probable outcome for future criminal acts.  Put simply, by paying the ransom they have inadvertently put others’ data up for sale. 

We Fight Fraud’s Solomon Gilbert, Head of Cyber had this to say:

"The truth is, though, that these ransoms are a large puzzle piece in other organised crime operations. These operations coax millions from unsuspecting, vulnerable people, and the hard truth is that we need to look out for each other and help keep each other safe, by not paying ransoms. Even if that means sacrificing business continuity"

Sin 2:

• While trying to resolve the crisis by communicating directly with criminals Blackbaud kept the data breach intentionally concealed, a big 'no no' in the security world.  GDPR protocol requires any data breach to be reported to authorities within 72 hours by law, unless the handler can prove that those affected are not at any risk of their information being compromised. 

Tony Sales We Fight Fraud’s head of strategic development, and former fraudster, commented:

“Even when a company or business pays a ransom, how do they know for sure they can trust that the hacker has not already sold the data on to other criminals?  Do not pay, get experts in to sort it out”

My thoughts and conclusions 

As a former student I have my own concerns.  When defending their actions in this botched handling of the attack, Blackbaud committed a fatal error in human relations by thinking that those affected would simply accept that a company of this size could make such an inexcusable error.  And that in doing so the public would not ask some pressing questions.  For example: ‘What makes you think you can trust criminals?!’ The blind faith that Blackbaud seems to have that the criminals would keep their side of the bargain is for me very disturbing.  While Blackbaud may truly believe that by paying the ransom they mitigated a certain amount of risk from this attack, the cybersecurity professionals drafted in to help with the investigation surely can not rule out foul play from the hackers. 

The lack of professionalism when handling this attack is remarkable. A company of this size should have a rigid and strategic action plan in place for handling such a crisis.  That plan should be executed quickly as soon as the crisis happens. 

At this point, nothing is stopping these criminals from simply selling the data on the dark web to other criminal organisations, or using the existing data for extortion down the road.

What now?

Moving forward, Blackbaud will have to work closely with those affected in the hopes they can mitigate their dire situation and restore the faith of their clients.  The question is, what will Blackbaud do for the vast number of companies and individuals who have been affected by this ordeal?  Can they fully recover?  Only time will tell.