.jpg){kind=logo}
Blackbaud Data Incident
The Louisiana School for Math, Science and the Arts Foundation takes data protection responsibilities very seriously and enters into vendor relationships with this as a primary concern. We have launched our own investigation in response to the data security incident involving Blackbaud, Inc., the third-party service provider we use to process and store contact information, communications, and donations. We will continue to update this page with additional information as it unfolds.
What happened?
On July 16, 2020, we received an email from a Blackbaud representative informing us that the company discovered and stopped a ransomware attack in May 2020. The cybercriminal was unsuccessful in blocking system access and fully encrypting files before being permanently expelled from their system. The cybercriminal removed a copy of a subset of data belonging to some clients, including the LSMSA Foundation.
What information was involved?
A detailed forensic investigation conducted by law enforcement and third-party cybersecurity experts on behalf of Blackbaud confirmed the cybercriminal did not have access to any encrypted information, including bank account numbers or credit and debit card information.
The data accessed by the cybercriminal in the Blackbaud database may have contained some of the following information:
-
Public information such as name, title, date of birth, spouse
-
Address and contact information such as phone numbers and email addresses
-
Summary giving history to LSMSA
-
Educational attainment
What actions did Blackbaud take?
In addition to full cooperation with law enforcement and third-party experts, Blackbaud informed us that it paid the cybercriminal's demand for confirmation that the copy of data removed from its systems had been destroyed. Blackbaud retained third-party experts to continually monitor the web for any potential misuse, and they provided additional assurances that the data had been erased.
What steps did the Foundation take?
We immediately launched our own investigation and have taken the following steps:
-
We are notifying affected constituents to make them aware of this breach of Blackbaud's systems so they can remain vigilant;
-
We are working with Blackbaud to understand why there was a delay between finding the breach and notifying us and what actions Blackbaud has and is taking to increase its security;
-
We are taking steps to learn exactly how many other healthcare, educational and not-for-profit organizations have been affected;
-
We are seeking our legal counsel and will continue to take advice from the IT team at LSMSA.
Blackbaud Security Incident Frequently Asked Questions
Blackbaud provided us with the following information for additional clarification:
What happened?
Blackbaud discovered and stopped a ransomware attack. In a ransomware attack, cyber criminals attempt to disrupt a business by locking companies out of their own data and servers. After discovering the attack, their Cyber Security team - together with independent forensics experts and law enforcement - successfully prevented the cybercriminal from blocking their system access and fully encrypting files and ultimately expelled the cybercriminal from their system. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. The data set the cybercriminal was exposed to did not contain any credit card information. The cybercriminal did not access bank account information or social security numbers because they are encrypted. In accordance with regulatory requirements and in an abundance of caution, Blackbaud notified all organizations whose data was part of this incident and provided resources and tools to help assess this situation. Blackbaud has already implemented changes to prevent this specific issue from happening again.
Did Blackbaud pay the cybercriminal to contain the information they had?
Yes, Blackbaud went to all appropriate measures to protect their customers' data, which was their top priority in that situation. Blackbaud has no reason to believe that any data was or will be made available publicly. Blackbaud did not pay the ransom until they received assurance that the data was destroyed. As a precautionary measure, they have hired outside experts to monitor the dark web indefinitely, and they have found no evidence that any information was ever released.
How can Blackbaud be sure the information the cybercriminal was exposed to has been contained and wasn't sold online?
Based on the nature of the incident, Blackbaud's research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Their motivation was to disrupt Blackbaud's business by encrypting customer files in their data centers, which Blackbaud was able to prevent. Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure.
Why didn't Blackbaud contact customers in May?
Blackbaud detected the first indicator of compromise on May 14, 2020. The cybercriminal's activity was contained and stopped by May 20, 2020. All traces of the cybercriminal and their attempt to regain access ceased by June 3, 2020, and Blackbaud could focus on assessing the extent of the damage to the system and to data. Blackbaud conducted its own damage assessment and received a revised statement of affected files from the cybercriminal on June 18, 2020. Blackbaud's third-party forensic assessor provided an official report on June 25, 2020. By July 9, 2020, Blackbaud developed enough certainty on information exposed and customers affected that it could work toward notifications. Customer notifications were made on July 16, 2020. From the beginning of the incident to the end, the risk of information exposure did not increase. Data exposed to the cybercriminal was held and then destroyed by the cybercriminal after they were paid a negotiated amount to do so. Blackbaud and third parties, including law enforcement, have been monitoring the dark web and found no instances of the compromised data being released.
Click here for more information about Blackbaud's detailed measures to minimize threats to data security.
Louisiana School for Math, Science, and the Arts
715 University Parkway
Natchitoches, LA 71457
T: 318.357.2500 Toll Free: 800.259.3173 | F: 318.357.3189
Contact Us | Report Possible Fraud or Abuse |
National Suicide Prevention Hotline
Natchitoches, LA 71457
T: 318.357.2500 Toll Free: 800.259.3173 | F: 318.357.3189
Contact Us | Report Possible Fraud or Abuse |
National Suicide Prevention Hotline
Search
Louisiana School for Math, Science, and the Arts (LSMSA) is the preeminent state-supported residential high school with competitive admissions for Louisiana's high-achieving, highly-motivated sophomores, juniors, and seniors. As a public school, there is no tuition to attend, and assistance from the LSMSA Foundation ensures the program is available to all qualifying students regardless of family financial need.
© 2024 LSMSA All Rights Reserved