Does anyone receive email notification about NXT attack? - urgent

Catherine Han

Hi folks does anyone receive the notice

https://www.blackbaud.ca/newsroom/article/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped


Which hosted environment got attacked?


Incident call needs to wait for 90 mins.

Carol Erickson

https://www.thenonprofittimes.com/npt_articles/breaking-blackbaud-hacked-ransom-paid/

Joelle Ferreira

Hi Catherine,


Yes, we received the notification too and connected with our account manager today. Happy to chat if needed! 

Dawn Cox

Hello,


You will recieve an email letting you know whch of your products has been hacked. Then there are resources to help on what to do next.
https://host.nxt.blackbaud.com/incident-resources/?svcid=support&leid=p-t2Q4JFYK1UOEqHr9GOFUGA

 

Catherine Han

Thanks for all everyone's response. Our hosted environment I safe. Have a great weenend!

NiCole Anderson

How many organizations are feeling the need to send out a notification?  How do we know what data was actually breached? 

Jessica Radomski

Totally agree with you on this. I know what wasn't compromised but what WAS compromised? 

Huw Price

Yes.

Does anyone know from a GDPR perspective if this beach is notifiable to the ICO?


Morally I feel we're obliged to inform our data subjects but I need to establish the legal position


Like others in the group I really need to know the EXACT nature of the data taken - 'Backup data' is a broad brush.


Thoughts?



 

Stacey Brake

This was us last Thursday...2 hours to speak to someone at the number provided and then we got disconnected (we were able to speak with someone later though).  We have also reached out to Customer Success via email, online chat support, and our Account Executive.  All answers received so far have been a repeat of the original email Blackbaud sent last week.  What keeps getting mentioned is to look at the fields in our product database to see what is not encrypted.  Searching the knowledgebase (per the instructions we received) for more information about this has been futile.  Contacting support wasn't any better as they are not able to provide a list of fields in our database.  It has been very, very frustrating.  Anyone else experience this?

Molly Gascoigne

Agreed.


I am running into the same thing. It's incredibly frustrating. 

Brian Hoyt

Check out https://community.blackbaud.com/forums/viewtopic/147/51457 for more discussion.

Stacey Brake

I posted this on a couple other threads that are having this same discussion:


Update:  Our Account Executive sent a link this morning to this knowledgebase article that gives a complete list of encrypted fields:

https://kb.blackbaud.com/articles/Article/47633?_ga=2.183084207.844473688.1595265186-352945951.1568134668


Fields not on the above list are not encrypted and were part of the data breach.


Customer Support also contacted me this morning and told me the best way to get lists of our fields:


Go to Configuration and select Fields

Select the category you want to see the fields for (Action, Constituent, etc.)

Right-click anywhere on the open white space to the right of the fields listed to Export to Excel.


This has been posted by Duane Waite as well on one of the threads.  (I hope I am giving credit to the correct person!)  


Thank you everyone for all your comments and advice!

Xerxes Eclipse

Attending the CIO-led webinar today. Hope to get more answers.

Katrina Freeburg

Xerxes Eclipse‍, can you share viewing information on this webinar?

Keri Barnhart

Katrina Freeburg:
Xerxes Eclipse‍, can you share viewing information on this webinar?

The next webcast is scheduled for Thursday, July 23 at 10am ET. You can get the links to register/access from the Resources for Involved Customers page. There is also a webcast from Ted Claypoole of Womble Bond Dickson, which Blackbaud have retained regarding the incident, where he talks about some of the databreach disclosure laws that may be applicable. It's on demand and probably useful to watch if you don't have a legal department in your organization.

Bill Connors

Stacey and others:  exporting the list of fields from Config will give you an IDEA of MOST of the fields, and perhaps the most important ones, but it certainly will not give you all the fields in RE -- just look at the Phone option, for example.  While this might also not be 100% perfect, here's what I posted in the RE group on Facebook on Friday that is likely much more comprehensive:  The easiest way to get a list of fields in RE is here: https://www.blackbaud.com/docs/default-source/how-to-documentation/raisers-edge-how-to/raisers-edge-user-guides-administration/import.pdf With that consider: (1) the list of encrypted fields that are not at risk per BB (https://kb.blackbaud.com/articles/Article/47633); (2) ADD your Attributes which won't be here (easy to print or PDF with File, Print from that screen); (3) REMOVE the fields for RE optional modules you don't have; and (4) MODIFY the list for any fields you use other than as intended. On this: IMHO, do *not* start exporting a ton of information from RE, especially the sensitive fields, to a spreadsheet to analyze, search, etc. the data or fields. Do not create a new security problem to solve another one: data in a spreadsheet on your computer is a security disaster waiting to happen when someone gets ahold of that spreadsheet, computer, laptop, etc. And deleting a file does not actually delete it.  


Original post above 7/17. 7/21 addition: Today I realized that with #2 in my post above I was thinking "RE 7" and "RE NXT database view." Blackbaud's emails reference "Blackbaud Raiser's Edge NXT" for some I've seen. Be aware that I don't know where or how Blackbaud stores and backs up RE NXT web view exclusive content, like Attachments (although there are other fields as well), and to my knowledge has not clarified whether this breach involves RE NXT database view only data or "all" of RE NXT. I also do not know of a source for a list of those fields. So, I would add to #2 above (5) ADD RE NXT web view-only fields if your organization is on RE NXT.


Hope that helps some.

Stacey Brake

Thank you Bill Connors for the information.  I tried the link but it goes to Facebook asking if I want to follow the link.  I chose not to.  Do you have a different link to the information? 



 

Bill Connors

Hmm, sorry, they work for me.  But here they are directly:

https://www.blackbaud.com/docs/default-source/how-to-documentation/raisers-edge-how-to/raisers-edge-user-guides-administration/import.pdf

https://kb.blackbaud.com/articles/Article/47633


Also, Stacey, I just edited my earlier post, so please see the edit as well.

Stacey Brake

Thank  you Bill Connors!

Bill Connors

Edit #2 7/22: Sorry for this additional edit, but BB had over 2 months to prepare for this announcement and I've had less than a 1 week to try to help you all in my "spare time." I realized last night that the Import Guide understandably only includes fields that can be imported into RE 7/the RE NXT database view. It does *not* include *all* fields, such as the constituent and proposal Media tabs. I still think it's the best place to start for the quickest, biggest list available for RE fields, but I need to point out it does not include every single field. If you want to be 100% thorough, you should (6) COMPARE the guide to your live copy of RE and ADD to the list fields in your system not in this guide, like Media.

Tiffanie Duncan

We were told that ResearchPoint data was also compromised. I see the great information about RE, but has anyone been able to pull out any information about RP and what fields are part of the breach and have been compromised in that system.

Xerxes Eclipse

Thank you, Bill Connors for the resources and to everyone who shared information on this thread!

Elizabeth Johnson

Hi, Tiffanie Duncan,‍ we are assuming it was all fields within ResearchPoint that were compromised. I can't speak to attachments and media as we don't store those in ResearchPoint so I wasn't paying attention to that personally. But if you had strategic notes (again we didn't store there) those would have been captured.


The fields that concern me the most are birthdates (we did not store SSN, CC, or Bank Info), asset information, name and address information, board affiliations, giving history to our organizations, and to others.


While birthdates alone can't do much with a name and address they can be sold to other criminals and then combined with other information stolen from other sources and profiles are then built and sold. 


How each organization uses ResearchPoint (or RE) varies greatly. Some organizations use it as their main database, some even have health information in it. It doesn't matter how long ago the information was updated or researched. We haven't used ResearchPoint since last summer so we confident that our data looks exactly the same today as it did back in January before this happened.


I hope this information is helpful. 

?

Holly Northern

Initially, only affected organizations were contacted.  While the non-encrypted data was obtained, Blackbaud believes that it was NOT distributed past the initial breach.  Nothing is a 100% guarantee, but I don't believe the data was distributed past the first stage of compromise.  Hence, your constituents data should not be on the dark web, etc. for sale or distribution.

Stacey Brake

We are preparing our messaging to send to constituents.  We will be emailing a notification to those constituents with an email address and mailing a letter to those without.  I'm curious as to what other organizations are doing.  Are you notifying constituents via both email and mailed letter?

Kim Berry

Stacey - like many organizations, we issued what we consider to be a voluntary notification via email. Our campus had a cyber insurance policy so we are working with an approved data security incident firm to determine what, if any, other forms of notification need to be sent. In consultation with our registrar and financial aid office, we determined that we should alert the Department of Education although they are undoubtedly already aware of this incident. Still muddling through the GDPR notification issue.


If you just search on "blackbaud data security incident" you will find examples of messaging other organizations have sent. Most appear to follow the recommending messaging that was issued by Blackbaud. I have gotten two notifications from organizations I've donated to in the past but am aware of at least one other organization that has not issued any notification as of yet.


Kim