'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks' "We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack. Speaking on the US cloud CRM provider's Q2 FY2020 earnings call late on Friday, Gianoni said: "Like a lot …
I was hit by this via the University of York, which I attended many years ago. One of my concerns is that the University never sought my consent to share my details with Blackbaud, which is a GDPR violation. The details included at least name, address, date of birth and email - very useful for identity theft. But of course the ransom was paid, and criminals are always trustworthy, so that's OK.
"... never sought my consent to share my details [...], which is a GDPR violation"
Not necessarily. Data sharing may be performed on several alternative lawful bases, of which consent is only on unless the data falls into the Article 9 sensitive categories. Consent would only apply if that were the lawful basis declared by the data controller as being relied on for the specific purpose.
Of all the lawful bases, consent has received the lion's share of press, and therefore public, attention, resulting in a common but mistaken assumption that it is mandatory in all cases. Indeed if another lawful basis is legitimately relied on, consent can not be invoked, as only one lawful basis can be relied on for each specific purpose.
The GDPR also has something to say about looking after the data and the responsibilities of data processors. The big failure here has been the Privacy Figleaf saying it's OK to ship the data to some overseas processor providing they abide by certain terms some of which cannot be honoured US-based corporations as court has finally ruled on.* And it was OK if you could only proceed against the overseas processor for breaches in their jurisdiction.
What we haven't heard about yet is what Blackbaud's customers are going to do about taking action. Presumably Blackbaud were in breach of contract. I'd have thought their earnings call would have said "We expect to lose contracts and be sued into oblivion."
* But we knew that anyway,didn't we.
If you want the University to be able to confirm you actually attended there, and what the result was, they are going to need to store some basic data which identifies you and distinguishes you from other David M's who might also have been there. The problem here is that that data wasn't secured properly, not that they stored it.
It would -- I assume -- be more than a little annoying to find that your alma mater said "Nope, got no record of that dude whatsoever" when an employer was doing a few basic CV checks [1], just because the university had over-enthusiastically tried to minimise its store of personal info.
[1] Or, for that matter, refused to replace your gone-missing/eaten-by-dog degree certificate for the same reason :-)
I don't know how the UK DPA has implemented GDPR, but in Germany you need to sign a form saying you have been informed of how the company will be handling your data and that you give them the right to pass on that data to named third parties.
Case in point, my doctor was on holiday yesterday, so I went to his locum. There I had to sign a data protection sheet, that stated that they would store my data and hand it on to my health insurance NPO and my normal doctor. Without that, they couldn't store my data (and therefore I wouldn't be able to have a consultation).
We are starting to use Teams at work. Part of the process is that all employees have to sign a waiver that they have been informed that their name will be stored in our Microsoft cloud as username and firstname, forename, but not other information will be used, and that that information will be visible to other Teams users, including external Teams users who they communicate with.
Without the waiver, they cannot have access to Teams. Several employees won't sign, so they can't use Teams.
Case in point, my doctor was on holiday yesterday, so I went to his locum. There I had to sign a data protection sheet, that stated that they would store my data and hand it on to my health insurance NPO and my normal doctor. Without that, they couldn't store my data (and therefore I wouldn't be able to have a consultation).
.
.
.
Without the waiver, they cannot have access to Teams. Several employees won't sign, so they can't use Teams.
Therefore the penalty for non-compliance is being frozen out of the system. Which is why the illusion of choice over how our private data is handled and GDPR in general is pointless bureaucratic bullshit.
I mean, in the next 72h following the discover of the breach, not two months later?
If not, I bet this is a blatant GDPR violation, and I hope supervisory authorities through the EU will ask Blackbaud to provide some complementary information!
100% of their EEA and UK customers are now in breach of the local data protection laws due to failure to notify in a timely manner.
That is rather likely to become expensive, and as it wasn't mentioned in their earnings call it could be considered misleading the shareholders.
Which is also rather expensive.
Most likely, the insurance policy had a clause (subrogation) which basically required that Blackbaud do what the Iinsurance company wanted (pay or not pay). If they didn't follow the insurance company's direction, then the insurance company would not be legalyl required to reimburse Blackbaud under the policy terms.
This type of subrogation clause is very common in the United States - I don't know about other countries. For example, every auto policy will have a subrogation clause which suborns the policyholders rights to the insurance company in case of an accident. Thus you can't agree to pay $100 thousand to the other driver and then force the insurance company to pay it. In fact, if they want to be a**holes, they technically could avoid paying anything since you broke the contract terms by negotiating directly with the other driver.
I'm not sure why anyone would downvote this, it is just a statement of fact based on 30 years working in the insurance industry. Here is a quote I copy off an insurance education website (https://www.thimble.com/insurance-101/ransomware-insurance-explained).
Insurer permission: It’s important to note that the actual ransom (typically) needs to be greenlit by an insurer. This means in the policy, the insurer will state that a company or individuals needs to first seek permission prior to submitting a ransom. If the insuree goes on and pays the ransom, then tells the insurer about it afterwards, they’ll likely exclude insurance coverage.
There's a market, so there's money to make, so we shall go get that money. It doesn't matter if the end result is more crime, what matters is that there is a demand.
With insurance on ransomware, there is literally no more possibility of stopping this type of crime. Now, companies are going to flock to their insurance company, get some form of coverage and turn around and not even care anymore about what IT needs to protect their data.
Muppets like this Gianoni will proudly proclaim that they have insurance, and everybody on Wall Street will be happy. And the crminals will be overjoyed, because now they up their demands since hey, what do you care, you're covered.
Brilliant. Just brilliant.
I work for an insurance company in the UK. We offer all sorts of cyber insurance, but none of it, to my knowledge, actually pays ransom. Just as our kidnap insurance does not pay ransom. We pay for a lot if remedial action (for the former) and lots of negotiation/travel etc (for the latter), but ransom-paying: nope, big time. And yet we have to keep telling our clients "read your contract: we don't pay ransom."
It might be that some do, or some do and put it under the heading of "Expenditure: Misc", but we have no interest in being seen as a cash cow for sloppy Chief Security Officers. Wall Street also does not want insurance companies to be seen as big barrels of money any crook can dip into.
The standard contract clauses ot the Privacy Figleaf are quite inadequate protection for data subjects (assuming, of course,that the UK is still enjoying this fictional protection during the transition period). There needs to be provision for the data subjects to take action for compensation in their own jurisdiction. From what the report says HM Opposition should have some support for this principle.
"Like a lot of companies, we get millions of intrusion attempts a month and unfortunately one got into a subset of our customers and a subset of our backup environment."
Curious that Blackbaud lost my school data and my university data. Seems like this subset may be rather large.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
