The widening Blackbaud data breach has spread into the world of politics, with the Labour Party becoming the latest organisation to step forward as a victim of the US firm’s ransomware incident. Reports suggest that data on Labour’s donors, including information on their political opinions and views, may have been put at risk.
According to ITV News, the information at risk was contained within Blackbaud’s Raiser’s Edge fundraising and donor management system, and relates to donors to the party dating back several years.
Labour sources are understood to have told ITV that any donor who had given Labour less than £7,500 – meaning they did not have to make a declaration to the Electoral Commission – was likely to be affected. The party is currently contacting those affected.
A Labour Party spokesperson said: “We have been alerted by one of our suppliers, Blackbaud, that they have suffered a data breach. We have reported the matter to the ICO and are working to establish further facts around this situation. We will take any action necessary in line with our statutory obligations.”
Chad Anderson, senior security researcher at DomainTools, said: “This should be a significant concern to all voters in the UK, regardless of their political viewpoints. It is imperative that the main political parties are all given a fair and impartial hearing, and considering the importance of digital campaigning in modern politics cycles, a cyber attack such as this could give other parties an advantage.
“That this breach is part of a wider attack suggests, however, that this was not politically motivated, and the Labour Party is simply part of a larger puzzle. That being said, they should take the relevant steps to ensure that any members who could be affected are informed and provided with security advice for minimising the associated risks.”
Blackbaud paid a ransom and claims it has received assurances that the hackers have deleted its customers’ data, although it has now repeatedly declined to elaborate on exactly what that means or why it believes it can trust the word of a criminal, preferring to wax lyrical on how sophisticated its security processes are, and how it contributes to a number of security thought leadership bodies.
Most security thought leaders would argue that you should neither pay a ransom nor take hackers at their word.
HaveIBeenPwned’s Troy Hunt described Blackbaud’s response as “an absolute mess” in a Twitter thread in which he sympathised with the firm’s security teams having to put up with its communications misfires.
Blackbaud continues to claim that the majority of its customers were not hit, but with the list of known victims now well over 100, it is clear that this is now a substantial cyber security incident, raising big questions over the firm’s competence as a data handler under UK data protection law.
Speaking on a conference call marking its most recent set of financial results, Blackbaud president and CEO Michael Gianoni said: “I’d like to just apologise on behalf of Blackbaud for the incident. Over the last five years, we’ve made significant investments to build a modern cyber security practice.”