Cloud computing provider Blackbaud has admitted that financial details and passwords are among data feared stolen by hackers, according to a new regulatory filing.
The 29th September filing to the United States Securities and Exchange Commission said that an additional investigation found cybercriminals may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.
The filing did not state that credit or debit card information was included in the breach. The company also said that the fields used to contain sensitive information were generally encrypted and not accessible to hackers.
The major cyberattack hit Blackbaud in May and involved the theft of data stolen from many of the company’s clients. The hack hit an estimated 166 UK charities and education centres, including Bletchley Park, the National Trust and Edinburgh Zoo.
Blackbaud was criticised for the slow pace at which it disclosed the hack, only revealing information in mid-July.
Up until now, most information has suggested that the attackers had only accessed personal information, such as names and email addresses. Blackbaud and the institutions affected by the hack have largely denied that financial information had been hit.
Blackbaud previously said it had paid the ransom in exchange for “credible confirmation” that the data had been deleted.
- Leader Insights | Cybersecurity essentials with CISO Jordan Schroeder
- New cybersecurity centre of excellence announced by Police Scotland
- Report | Employee mistakes cause almost half of cybersecurity issues
“These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support,” the company said in its filing.
While the exact number or identity of the customers who had financial information stolen is unknown, according to the BBC, the National Trust and the University of Birmingham are among the organisations affected by the new revelation.
However, some US groups had already claimed that sensitive financial information was compromised during the breach before Blackbaud’s made its notification.
US company Northwestern Memorial HealthCare has recently said that, out of the 55,983 of its clients who had their data stolen, five people had their Social Security numbers, financial accounts, and payment-card information unencrypted during the attack.
Some people in the US who had donated money to several of Blackbaud’s customers recently filed lawsuits against the company over the breach. They claimed the firm had failed to adequately protect its clients’ data.