back to article 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'

"We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack. Speaking on the US cloud CRM provider's Q2 FY2020 earnings call late on Friday, Gianoni said: "Like a lot …

  1. David M

    No consent for data sharing in the first place

    I was hit by this via the University of York, which I attended many years ago. One of my concerns is that the University never sought my consent to share my details with Blackbaud, which is a GDPR violation. The details included at least name, address, date of birth and email - very useful for identity theft. But of course the ransom was paid, and criminals are always trustworthy, so that's OK.

    1. Mike 137 Silver badge

      Re: No consent for data sharing in the first place

      "... never sought my consent to share my details [...], which is a GDPR violation"

      Not necessarily. Data sharing may be performed on several alternative lawful bases, of which consent is only on unless the data falls into the Article 9 sensitive categories. Consent would only apply if that were the lawful basis declared by the data controller as being relied on for the specific purpose.

      Of all the lawful bases, consent has received the lion's share of press, and therefore public, attention, resulting in a common but mistaken assumption that it is mandatory in all cases. Indeed if another lawful basis is legitimately relied on, consent can not be invoked, as only one lawful basis can be relied on for each specific purpose.

      1. Anonymous Coward
        Anonymous Coward

        Re: No consent for data sharing in the first place

        So what you're saying is that GDPR is another piece of bureaucratic EU nonsense that's as useful to the ordinary citizen as a chocolate teapot and whose only noticeable effect is to dish up intrusive pop-ups on nearly every website?

        1. Doctor Syntax Silver badge

          Re: No consent for data sharing in the first place

          The GDPR also has something to say about looking after the data and the responsibilities of data processors. The big failure here has been the Privacy Figleaf saying it's OK to ship the data to some overseas processor providing they abide by certain terms some of which cannot be honoured US-based corporations as court has finally ruled on.* And it was OK if you could only proceed against the overseas processor for breaches in their jurisdiction.

          What we haven't heard about yet is what Blackbaud's customers are going to do about taking action. Presumably Blackbaud were in breach of contract. I'd have thought their earnings call would have said "We expect to lose contracts and be sued into oblivion."

          * But we knew that anyway,didn't we.

    2. Paul Kinsler

      Re: No consent for data sharing in the first place

      If you want the University to be able to confirm you actually attended there, and what the result was, they are going to need to store some basic data which identifies you and distinguishes you from other David M's who might also have been there. The problem here is that that data wasn't secured properly, not that they stored it.

      It would -- I assume -- be more than a little annoying to find that your alma mater said "Nope, got no record of that dude whatsoever" when an employer was doing a few basic CV checks [1], just because the university had over-enthusiastically tried to minimise its store of personal info.

      [1] Or, for that matter, refused to replace your gone-missing/eaten-by-dog degree certificate for the same reason :-)

      1. Doctor Syntax Silver badge

        Re: No consent for data sharing in the first place

        "The problem here is that that data wasn't secured properly, not that they stored it."

        The problem was that they didn't store it. They gave it to somebody else to store, presumably to save money.

    3. big_D Silver badge

      Re: No consent for data sharing in the first place

      I don't know how the UK DPA has implemented GDPR, but in Germany you need to sign a form saying you have been informed of how the company will be handling your data and that you give them the right to pass on that data to named third parties.

      Case in point, my doctor was on holiday yesterday, so I went to his locum. There I had to sign a data protection sheet, that stated that they would store my data and hand it on to my health insurance NPO and my normal doctor. Without that, they couldn't store my data (and therefore I wouldn't be able to have a consultation).

      We are starting to use Teams at work. Part of the process is that all employees have to sign a waiver that they have been informed that their name will be stored in our Microsoft cloud as username and firstname, forename, but not other information will be used, and that that information will be visible to other Teams users, including external Teams users who they communicate with.

      Without the waiver, they cannot have access to Teams. Several employees won't sign, so they can't use Teams.

      1. Anonymous Coward
        Anonymous Coward

        Re: No consent for data sharing in the first place

        Case in point, my doctor was on holiday yesterday, so I went to his locum. There I had to sign a data protection sheet, that stated that they would store my data and hand it on to my health insurance NPO and my normal doctor. Without that, they couldn't store my data (and therefore I wouldn't be able to have a consultation).

        .

        .

        .

        Without the waiver, they cannot have access to Teams. Several employees won't sign, so they can't use Teams.

        Therefore the penalty for non-compliance is being frozen out of the system. Which is why the illusion of choice over how our private data is handled and GDPR in general is pointless bureaucratic bullshit.

    4. gerdesj Silver badge
      Paris Hilton

      Re: No consent for data sharing in the first place

      "which I attended many years ago"

      The GDPR was only available in peppermint back then.

  2. Potemkine! Silver badge

    Shouldn't Blackbaud have warn the supervisory authority of their european customers?

    I mean, in the next 72h following the discover of the breach, not two months later?

    If not, I bet this is a blatant GDPR violation, and I hope supervisory authorities through the EU will ask Blackbaud to provide some complementary information!

  3. Anonymous Coward
    Anonymous Coward

    "don't anticipate any material financial impact" and "do have insurance coverage"

    Could an increase in insurance costs lead to a financial impact?

    1. IGotOut Silver badge

      Re: "don't anticipate any material financial impact" and "do have insurance coverage"

      Or companies being pissed of at the very slow notification and leaving.

      1. Doctor Syntax Silver badge

        Re: "don't anticipate any material financial impact" and "do have insurance coverage"

        Just pissed off? I'd have thought they should be a little more reactive than that.

      2. Richard 12 Silver badge
        FAIL

        Re: "don't anticipate any material financial impact" and "do have insurance coverage"

        100% of their EEA and UK customers are now in breach of the local data protection laws due to failure to notify in a timely manner.

        That is rather likely to become expensive, and as it wasn't mentioned in their earnings call it could be considered misleading the shareholders.

        Which is also rather expensive.

  4. chivo243 Silver badge
    Coat

    Bullet, Dodged!

    Our org just ended a contract with Blackbaud, I sent the link for the original story to our Data Protection Officer, he's a shark type, he was all over it, I guess he smelled Blackblaud in the water?

    Thanks! I'm here all week!

  5. Colonel Mad

    National Trust

    We have a statement on the volunteer website, and if I understand corporate speak, the NT are far from happy.

    1. Doctor Syntax Silver badge

      Re: National Trust

      I've no doubt they are farfrom happy but where was this? The NT volunteer URL simply redirects to a dashboard run by Blackbaud and volunteers seem to be covered by a privacy policy which ATM seems to be more aspirational than real.

  6. RM Myers Silver badge

    Blackbaud probably didn't even make the decision to pay

    Most likely, the insurance policy had a clause (subrogation) which basically required that Blackbaud do what the Iinsurance company wanted (pay or not pay). If they didn't follow the insurance company's direction, then the insurance company would not be legalyl required to reimburse Blackbaud under the policy terms.

    This type of subrogation clause is very common in the United States - I don't know about other countries. For example, every auto policy will have a subrogation clause which suborns the policyholders rights to the insurance company in case of an accident. Thus you can't agree to pay $100 thousand to the other driver and then force the insurance company to pay it. In fact, if they want to be a**holes, they technically could avoid paying anything since you broke the contract terms by negotiating directly with the other driver.

    1. RM Myers Silver badge

      Re: Blackbaud probably didn't even make the decision to pay

      I'm not sure why anyone would downvote this, it is just a statement of fact based on 30 years working in the insurance industry. Here is a quote I copy off an insurance education website (https://www.thimble.com/insurance-101/ransomware-insurance-explained).

      Insurer permission: It’s important to note that the actual ransom (typically) needs to be greenlit by an insurer. This means in the policy, the insurer will state that a company or individuals needs to first seek permission prior to submitting a ransom. If the insuree goes on and pays the ransom, then tells the insurer about it afterwards, they’ll likely exclude insurance coverage.

  7. Pascal Monett Silver badge
    Flame

    Capitalism at its best

    There's a market, so there's money to make, so we shall go get that money. It doesn't matter if the end result is more crime, what matters is that there is a demand.

    With insurance on ransomware, there is literally no more possibility of stopping this type of crime. Now, companies are going to flock to their insurance company, get some form of coverage and turn around and not even care anymore about what IT needs to protect their data.

    Muppets like this Gianoni will proudly proclaim that they have insurance, and everybody on Wall Street will be happy. And the crminals will be overjoyed, because now they up their demands since hey, what do you care, you're covered.

    Brilliant. Just brilliant.

    1. Hollerithevo Silver badge

      Re: Capitalism at its best

      I work for an insurance company in the UK. We offer all sorts of cyber insurance, but none of it, to my knowledge, actually pays ransom. Just as our kidnap insurance does not pay ransom. We pay for a lot if remedial action (for the former) and lots of negotiation/travel etc (for the latter), but ransom-paying: nope, big time. And yet we have to keep telling our clients "read your contract: we don't pay ransom."

      It might be that some do, or some do and put it under the heading of "Expenditure: Misc", but we have no interest in being seen as a cash cow for sloppy Chief Security Officers. Wall Street also does not want insurance companies to be seen as big barrels of money any crook can dip into.

      1. Nano nano

        Re: Capitalism at its best

        Car theives used to believe that.

        When talking to "one of the community" when looking for my stolen car during Horse Fair Week, the response was, "Well, it was insured, wasn't it ?"

    2. Doctor Syntax Silver badge

      Re: Capitalism at its best

      "there is literally no more possibility of stopping this type of crime"

      Actually there is. Make it an offence to pay the ransom with the board liable to imprisonment for up to 10 years each for breach.

  8. Doctor Syntax Silver badge

    The standard contract clauses ot the Privacy Figleaf are quite inadequate protection for data subjects (assuming, of course,that the UK is still enjoying this fictional protection during the transition period). There needs to be provision for the data subjects to take action for compensation in their own jurisdiction. From what the report says HM Opposition should have some support for this principle.

  9. sitta_europea

    I've checked all the Register reports about Blackbaud that I can find, the ICO doesn't seem to be mentioned in any of them.

    I asked the ICO today if Blackbaud has reported the issue.

    They said yes. They didn't say when the report was made.

  10. Displacement Activity

    "Subset"?!

    "Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment."

    Curious that Blackbaud lost my school data and my university data. Seems like this subset may be rather large.

    1. tiggity Silver badge

      Re: "Subset"?!

      indeed

      subset sounds quite weasel wordy in their usage

      1. Jimmy2Cows Silver badge

        Re: "Subset"?!

        Typical weasel words to appease the challenged-of-thinking. To a lot of people "subset" sounds small. They've no idea subset is anything up to and including the entire set. So Blackbaud aren't even lying, they're just gaming the average intelligence of their users.

    2. Remy Redert

      Re: "Subset"?!

      All but the one who hadn't migrated yet is a subset of customers. All of this year's back ups is a subset of their back ups.

  11. Doogie Howser MD

    Are there any ransomware or hacking attacks that aren't sophisticated? Just askin'

  12. pd4361

    Bit ironic that one of the organisations hit was the Bletchley Park Trust. Now in the good old days, they'd have sent a team of boffins round to Blackbaud and decrypted the files for them ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020