Last week, US cloud computing company Blackbaud revealed that a previously disclosed cyberattack in May has had larger consequences than initially believed.
Initially, the University of York, a Blackbaud user, notified staff and students that their personal data may have been compromised as a result of the breach. However, Blackbaud has now confirmed that twelve institutions or organisations have also been affected by the breach, including several universities in the UK, US and Canada, and two charities.
Ransomware attacks, a form of malware where hackers hold data for ransom, can be particularly damaging to companies and difficult to trace. Blackbaud has revealed that they paid the ransom demand upon receipt of confirmation that the data in question had been deleted. Though this may have mitigated the immediate risk, this action is in direct contradiction with FBI and Europol’s advice, and may encourage other would-be cyber attackers. Additionally, their delay in publicly stating this information, as well as the list of their affected customers, may put them in violation of GDPR.
The Blackbaud breach is a clear example of the potential dangers of third-party services, and why it is crucial to choose suppliers that have clearly demonstrated exemplary cyber security standards and practices and that actively work to find and mitigate vulnerabilities.
Furthermore, after choosing a trustworthy supplier, organisations must be aware of the constant risks that their third parties bring into their digital ecosystem. Using a tool like CyDesk, organisations can identify, analyse and manage their cyber and compliance risks across their digital ecosystem, allowing them time to put in place an effective management plan, such as switching to a secondary provider.
Ransomware and malware will certainly continue to be significant risks to organisations across industries. However, being aware of third-party risks and implementing a strong management strategy can go a long way to minimising the potential damage of a data breach.