The George W. Bush Presidential Center, Boy Scouts of America and the Texas Tech Foundation have notified donors alumni that they were among a growing list of nonprofits and universities affected by a ransomware attack.
South Carolina-based Blackbaud, one of the world’s largest cloud-based data storage and software providers for institutions of higher education and nonprofits, revealed to clients and the public that it was the subject of a May ransomware attack two months after the fact on July 16.
The attack hit more than 200 institutions across the globe, according to the Texas Tech Foundation, the university’s fundraising arm. The Irving-based Boy Scouts of America was also affected by the attack, as were the ACLU, Texas State the Cancer Research Institute, the Louisiana Tech University Foundation and others.
In Texas, organizations may have indirectly exposed the personal information of tens of millions. The Boy Scouts of America alone has an alumni network of 50 million, according to its site.
According to a message sent to donors by Boy Scouts of America, which cited Blackbaud, “the data security incident started on February 7, 2020, and possibly continued intermittently until May 20, 2020.”
In its statement, Blackbaud said it did not discover the attack until May, and that it managed to prevent cybercriminals from “fully encrypting files.” In a ransomware attack, the perpetrator gains access to a victim’s data, locks it up through encryption and holds it hostage until the victim pays the ransom.
Blackbaud declined The Dallas Morning News’ request for comment.
“We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” Blackbaud said in a statement on its website.
Donors’ names, titles, dates of birth, phone numbers and email addresses may have been exposed by the data breach, multiple institutions said.
The hackers responsible for the breach did not access credit card information, bank account information or Social Security numbers, according to Blackbaud.
The Bush Center doesn’t believe donors’ personal information will be used for other purposes given the hackers’ intent to collect a ransom, the Bush Center said in a July 30 email about the data breach.
“Even though we do not believe that your personal information has been subjected to misuse or further unauthorized access due to this incident, out of an abundance of caution and in light of our respect for your privacy, we wanted to advise you of this incident,” the Bush Center email said.
Blackbaud has paid an undisclosed sum to the hackers responsible for the data breach, and hired a third party to monitor the dark web for evidence that compromised data is being sold, according to the Bush Center.
Located at Southern Methodist University in Dallas, the Bush Center is home to George W. Bush’s presidential library as well as the George W. Bush Policy Institute and the George W. Bush Foundation.
In a statement, the Texas Tech Foundation said it was similarly “not aware of any instances of fraudulent activity connected to the foundation’s data.”
The foundation has launched its own investigation into the breach and is notifying affected alumni and donors, according to a July 28 statement. Texas State has launched its own investigation into the data breach as well, according to the university’s student publication The University Star.