Anatomy of a Breach

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

> series: anatomy_of_a_breach —— part: 138 —— target: blackbaud —— affected: uk_charities_universities_nhs —— action: paid_ransom_trusted_criminals<span class="cursor-blink">_</span>_

Hedgehog Security 30 June 2020 13 min read
data-breach blackbaud ransomware charities universities nhs supply-chain uk-breach series
Breach #138

The National Trust. NHS trusts. UK universities. All exposed through one vendor.

In July 2020, Blackbaud disclosed that a ransomware attack in May 2020 had resulted in attackers accessing and exfiltrating a copy of a subset of customer data before the company detected and blocked the attack. Blackbaud paid the ransom and stated it had received 'confirmation' that the stolen data had been destroyed. The breach affected hundreds of organisations across the nonprofit, education, and healthcare sectors — including major UK institutions.

Affected UK organisations included the National Trust, the University of Birmingham, De Montfort University, the University of Leeds, the charity Young Minds, and multiple NHS charitable trusts. The ICO received over 100 reports from affected UK organisations and investigated Blackbaud's handling of the breach. Blackbaud subsequently admitted that the breach was more extensive than initially disclosed — bank account details, Social Security numbers, and other sensitive data had been exposed, contrary to the company's initial claims. The SEC later charged Blackbaud with making misleading disclosures about the breach.

The Supply Chain Cascade
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

One vendor breach. Hundreds of charities, universities, and NHS trusts affected.

Charities and Nonprofits as Collateral
Blackbaud served nonprofits, charities, and educational institutions — organisations that often have limited cybersecurity budgets and depend heavily on their technology vendors' security. When Blackbaud was breached, its customers — including UK institutions holding donor data, alumni records, and patient information — were exposed through no fault of their own. Our <a href="/blog/sector-under-the-microscope-education">education</a> and <a href="/blog/sector-under-the-microscope-healthcare">healthcare sector analyses</a> examine vendor dependency risk.
Paying the Ransom — and Trusting Criminals
Blackbaud's decision to pay the ransom — and its claim that it received 'confirmation' the data was destroyed — was widely criticised. Ransomware criminals provide no verifiable guarantee of data deletion; paying simply funds further attacks. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response that does not rely on trusting criminals.
Misleading Initial Disclosures
Blackbaud initially stated that sensitive financial data was not affected — a claim the SEC later found to be misleading. Affected organisations relied on Blackbaud's assurances to inform their own breach notifications. When those assurances proved false, the organisations had to re-notify affected individuals. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides independent breach assessment rather than reliance on vendor claims.
Vendor Security Is Your Security
The Blackbaud breach reinforced the lesson from <a href="/blog/anatomy-of-a-breach-notpetya">NotPetya</a> (M.E.Doc), <a href="/blog/anatomy-of-a-breach-ticketmaster-dixons">Ticketmaster</a> (Inbenta), and <a href="/blog/anatomy-of-a-breach-imperva">Imperva</a>: your vendors' security posture is part of your risk surface. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain security.
Lessons

When your vendor is breached, your data is breached.

The Blackbaud breach affected organisations that had done nothing wrong — their vendor was compromised, and their data was exposed. For UK charities, universities, and NHS trusts that depend on third-party platforms for donor management, alumni relations, and patient communications, vendor security must be evaluated as part of the organisation's own security posture. Cyber Essentials certification of vendors demonstrates their security commitment. Our penetration testing assesses third-party integration security. SOC in a Box monitors for indicators of vendor compromise. And UK Cyber Defence provides incident response when a vendor breach affects your organisation.

Vendor Security

Blackbaud exposed hundreds of UK charities and universities. How secure are your vendors?

<a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain security. <a href="/penetration-testing">Penetration testing</a> assesses vendor integrations. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for vendor compromise.

Commission a Supply Chain Assessment Next: Twitter Hack
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 30 June 2024

Anatomy of a Breach: Synnovis — Qilin Ransomware Cancels Thousands of NHS Blood Tests and Surgeries Across London

Breach #186. On 3 June 2024, Synnovis — a pathology partnership between Guy's and St Thomas' NHS Foundation Trust, King's College Hospital, and SYNLAB — was hit by Qilin ransomware. The attack disrupted blood testing, transfusion services, and pathology results across major London hospitals, forcing the cancellation of thousands of operations and appointments. Over 10,000 acute outpatient appointments and nearly 2,000 elective procedures were postponed. A critical shortage of O-type blood was declared as hospitals could not perform routine blood matching. Patient data — including names and NHS numbers linked to blood test results — was subsequently published on the dark web.

ransomware synnovis
15 min read
Anatomy of a Breach 31 August 2022

Anatomy of a Breach: NHS Advanced and LastPass — A UK Healthcare MSP and a Password Vault Both Compromised

Breach #164. August 2022 brought two significant breaches. On 4 August, Advanced — a managed service provider for the NHS — was hit by ransomware that disrupted NHS 111, the non-emergency health line, as well as patient referral, ambulance dispatch, and out-of-hours GP services across England. Simultaneously, LastPass disclosed that an attacker had breached a developer's account and stolen source code — an initial intrusion that would ultimately lead to the theft of customers' encrypted password vaults (disclosed in December 2022). Both breaches demonstrated that the tools and services organisations trust most — their MSP and their password manager — create the greatest supply chain risk when compromised.

nhs-advanced lastpass
14 min read
All Posts Get in Touch