Blackbaud, a US-based cloud computing firm that provides services to education institutions, non-profits, religious organizations and healthcare organizations, is facing multiple class action lawsuits revolving around a three-month ransomware attack in which some clients’ sensitive information was breached.
The attack against the service provider, which happened in May 2020, compromised the data of eight universities in Canada, the US and the UK. Blackbaud announced the breach on July 16, stating: “In May of 2020, we discovered and stopped a ransomware attack. […] After discovering the attack, our cyber security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
However, since this statement, one class action lawsuit filed against Blackbaud in California on September 11, suggests that the perpetrators did in fact access private information, and that the cyber services provider was “unacceptably cagey with regards to the specifics” of the breach, according to a ClassAction.org report.
Lawsuits aside, one thing is clear. The Blackbaud breach, which impacted Ambrose University in Alberta, is a good example of third-party cyber supply chain risk. Candid Wüest, vice president of cyber protection research at Acronis, commented: “We’ve been talking about supply chain and third-party cyber risk for multiple years, starting with the software supply chain (all of the software and third-party data libraries that companies use for their enterprise), and more recently expanding the focus to service providers (online cloud applications and so on).
“We’ve definitely seen more and more cyber criminals making use of those service providers to get to their final target. The Blackbaud breach is a good example of this. For the attackers, it’s easier to break into one big service provider and then get access to hundreds of their clients [than to target each one individually], and often, it yields more profit for them in the end.”
For insurers, that aggregation of cyber risk is a key concern, especially when it comes to third-party cloud services and data storage providers. For example, if one of the top four cloud providers in the world went down for three to six days due to a cyberattack, it could cost up to US$19 billion in economic damages, according to AIR Worldwide.
“Cloud outages present a risk for an individual business, and more significantly on an aggregate basis,” said Steve Whelan, director of management and professional liability product development at ISO. “Imagine if one of the four large cloud providers is completely shut down, and how many organizations rely on that cloud service provider without a backup. This could have multiple impacts on an aggregated basis across multiple businesses.”
When considering third-party, supply chain cyber risk, companies have to evaluate a number of key elements: How many third-party dependencies do they have? Do they trust those software companies and service providers? Would they be able to detect if the third-party suffers a breach or if something goes wrong? Would they be able to launch some legal action against the third-party, or are they constrained by contractual fine print?
In order to mitigate that risk, insureds must have visibility of where their data is at all times, according to Wüest. He said: “Companies must be aware of where their data is stored and who has access to it. If it’s in a cloud or in a Dropbox, they need to ensure it’s being stored in compliance with privacy laws. And then they need to do simple things internally around identity and access management […] deploying multi-factor authentication and educating employees […] to raise the bar and make it harder for attackers. It’s also important for companies to have a holistic, integrated and automated view of their cyber security. They can’t just have a back-up or an anti-virus solution; they need to have all necessary security solutions combined under one umbrella.”
