NPR and at least seven public media stations are assuring donors that their most sensitive financial information was not exposed in a hack of a third-party fundraising vendor.
Officials with Blackbaud, a vendor that works with thousands of nonprofits, informed NPR and the stations that it discovered and stopped a ransomware attack in May.
In a statement posted on its website last month, Blackbaud said credit card details, bank account information and Social Security numbers were not accessed. But the “cybercriminals” attempted to “disrupt the business by locking companies out of their own data and servers” between February and May.
After discovering the attack on the company’s ResearchPoint and DonorCentrics products, Blackbaud officials worked with independent forensics experts and law enforcement to expel the hackers from the system. But hackers were able to remove a copy of a subset of data before they were locked out.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” the statement said. “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Nonprofits that use Blackbaud’s products were informed about the ransomware attack in July. Station officials told Current that to their knowledge, this is the first major attack they’ve encountered while using Blackbaud.
In an Aug. 3 memo obtained by Current, Christopher Turpin, chief of staff and interim chief development officer for NPR, told donors that the security incident may have affected them.
“We are writing out of an abundance of caution. This incident may have affected your contact information, demographic information, and if you have made a gift to NPR, the history of those donations,” Turpin wrote. “Importantly, we want to assure you that the incident has not exposed any sensitive personal identification or financial data such as your credit card or bank account information, government identification number, or social security number, as we do not record or store this information in our database.”
Turpin also wrote that Blackbaud “assured us that they are confident that the cybercriminals have in fact destroyed the stolen file, and have not misused or further disseminated any data contained in the file.”
While Blackbaud informed clients that it has implemented changes to better secure its data, Turpin told members to “remain vigilant” by “monitoring any suspicious emails or communications claiming to be from NPR, or any unfamiliar attempts to solicit contributions from you.”
An NPR spokesperson did not respond to Current’s request for a list of affected stations. The spokesperson also declined to discuss whether NPR will continue using Blackbaud’s software.
Blackbaud did not respond to a request for a list of affected stations.
Impact on stations
New Hampshire Public Radio emailed members and released a public statement July 24 that said its data on Blackbaud was exposed. Deb Turner, VP of development and marketing, said in a statement to Current that the station has used Blackbaud for around 20 years. Though she is unaware of any other past data breaches involving the station and Blackbaud, she expressed concerns about how the vendor handled the matter.
“As with all vendors, we evaluate relationships at least annually, and this situation certainly gives reason to do that with Blackbaud,” she said. “We have been unhappy with the time it took Blackbaud to notify us and subsequently with their responsiveness to our information requests.”
Turner said NHPR has received messages from at least 70 people who were concerned about their data being accessed. Some asked questions about what happened and what data was involved, some requested to cancel their memberships, and others thanked the station for notifying them and being transparent.
A spokesperson for KPBS told Current in a statement Tuesday that the station has been a Blackbaud client for nearly two decades. The statement said its university licensee is reviewing the system’s contractual relationship with the vendor.
“KPBS and San Diego State University place a priority on information security and the safeguarding of personal data, and has been working with the California State University (CSU) system Chancellor’s Office to gather information to determine all details of this security incident and Blackbaud’s proposed remediation plans,” the statement said.
KPBS said “a very small number of supporters” have asked about the data breach. The spokesperson said the station is responding to members directly to relay Blackbaud’s assertion that key financial data was not exposed.
WBUR in Boston announced Saturday that the station and its university licensee, Boston University, were affected. A WBUR news report said that donors “do not need to take any action at this time.”
Louisville Public Media in Kentucky told Current that the station sent a memo to members Aug. 5 highlighting details of the data breach. Kelly Wilkinson, the director of membership, wrote that the station never stored credit card numbers on Blackbaud’s database and instead inputs payment information “directly into our secure payment processor.” But as with other stations, the Blackbaud file that was compromised included contact information, demographic details and a history of donors’ relationships to the nonprofit, such as donation dates and amounts.
“Blackbaud has been monitoring the dark web and has found no instances of the data being released. If we learn of any detection of the data, we will contact you,” Wilkinson told members. She also said Blackbaud has assured clients that it has identified security vulnerabilities and is working with multiple organizations to prevent future attacks.
Public Broadcasting Atlanta also told members Aug. 5 that the station was affected by the breach. “We are no longer working with Blackbaud,” PBA said in a public statement. “We now have a different database provider, and we have communicated with this service provider to ensure that all appropriate defenses are in place to fully protect PBA member data.”
In an email to Current, PBA declined to say when the station stopped working with Blackbaud.
Vermont Public Radio also issued a statement July 23 about the Blackbaud breach. A spokesperson told Current in a statement that VPR started working with the vendor in 2013.
“We’ve heard from about 200 people (out of about 55,000 notified) as of this week,” the spokesperson said. “Many were appreciative of our transparency. Others asked for more details, were concerned about the security of their information, and some cancelled their sustaining memberships.” The spokesperson added that VPR officials have not yet determined whether the station will continue using Blackbaud as a vendor.
A spokesperson for WGBH in Boston told Current Tuesday that the station has worked with Blackbaud for more than a decade. “WGBH was recently notified by Blackbaud that a file provided to it more than six years ago may have been affected in a ransomware attack on their system,” the spokesperson said. “None of the data provided to Blackbaud contained financial account information and we are working to determine further details.”
The spokesperson also said WGBH has used Blackbaud “only for analytics work and not individual member files,” adding that WGBH officials will evaluate the station’s relationship with Blackbaud as they learn more about the incident.
The Contributor Development Partnership, a fundraising organization affiliated with WGBH, has used Blackbaud for nearly 10 years but was not affected by the breach, said President Michal Heiplik in a statement.
“I don’t see a reason to alter our relationship with them,” Heiplik said. “It is their first data breach that I have observed, but this one does not involve CDP or its data at all.” Heiplik added that to his knowledge, few stations use Blackbaud’s ResearchPoint and DonorCentrics products.