Service of Fingers Crossed: When to Believe Thieves
September 10th, 2020
Categories: Charity, Cyber Security, Donations, Hospitals, Museums, Theft, University
When you comply to a ransom demand you’re not in the driver’s seat. You must hope that the thieves are honorable. If you watch “Law and Order” or its offshoots, you’re familiar with the concept even if you’ve not yourself been plagued by such a horrifying theft.
The cyberthieves Sarah Cascone wrote about on artnet.com hadn’t absconded with a relative. Her article was: “Hackers Have Stolen Private Information From Donor Lists to 200 Institutions, Including the Smithsonian and the UK’s National Trust.” The subhead was: “The Parrish Art Museum and the Corning Museum of Glass were also hit by ransomware.” In addition to museums, data from hospitals, 16 US universities and 33 UK charities was lifted.
According to Cascone, the attack on Blackbaud–“a third-party cloud software company”–happened in May. Blackbaud told its clients a month later. They said that “the compromised data was limited to demographic information such as names, addresses, phone numbers, and donation summaries, and did not include credit card information, bank account information, or social security numbers.” We hope.
Cascone reported that the Corning Museum said it doesn’t “keep credit cards, bank accounts, or social security numbers in the system hosted by Blackbaud.” One wonders where do they keep it and is it safe?
Blackbaud said it paid the cybercriminals and confirmed that they had destroyed what they’d stolen, according to Cascone. They paid in Bitcoin. “’What I find unsettling about Blackbaud’s situation is that they just took the hackers at their word that the stolen data was destroyed. In my experience, hackers almost always leave behind hard-to-find malware so that they can still access the system,’ said Wood.” Tyler Cohen Wood is a cyber-security consultant and the former cyber deputy chief of the Defense Intelligence Agency.
Cascone continued: “She advises that museums employing third-party providers familiarize themselves with the company’s procedures for handling ransomware attacks and to have secure data backups, even if that means paying extra.”
If you were notified by an organization that such a breach had occurred, would you get a new credit card or bank account number even if you were told the cybercriminals had no access to–or had destroyed–that information? Have you ever asked an organization to which you donate money how they protect your financial and personal information? Is cash the only secure way to donate?
Tags: Blackbaud, Corning Museum, Parrish Art Museum, Smithsonian, Tyler Cohen Wood
Actually I don’t believe we can trust anyone with our personal information. A few years ago my daughter Lisa had her bank account hacked and cleaned out. Sadly it was a week after we gave her $5000 to pay for her classes in dog training. She’s a certified animal behaviorist. The bank tried to tell her wasn’t they’re problem. Luckily one of my best friends is a bank manager (not at the offending bank). She said yes they are responsible so knowledge is power and Lisa got her money back. Bottom line is you can’t even trust your bank. First thing she did was change account numbers and even new credit card info, just to be safe! Almost forgot…we are signed up with Life Lock and no help from them either. Maybe we should go back to stashing our cash under the mattress. The moral to this story is DO NOT TRUST ANYONE.
It seems incredibly naive to believe that the criminals who hacked and stole information destroyed the fruits of their labor! Also isn’t paying anything at all via bitcoin a little bit dicey?
I am not sure to what extent I would make changes in my financial accounts, but would certainly change my credit cards. I would seek advice from Equifax and the other 2 similar agencies. I don’t think any electronic transactions are safe, but don’t know how we can extricate ourselves from their power over ourselves.
Helen,
I’m afraid it has come to this. We always sent a few dollars to a person’s favorite cause, institution or charity after they died but you wonder now if that is such a good idea.
The information highway continues to be the wild west and little is done to protect the public from the thieves.
Martha,
If bitcoin is the currency asked for then that’s what Blackbaud had to give.
I’d like to know if every nonprofit has various places it stores donor information so that if their vendors are hacked, some is saved.
Wow. Never got that kind of notice. But, “Trust no one.”
Hank,
Neither did I, at least yet, which makes me wonder if I should have!
Debbie on Facebook: I froze mine & my mother’s credit after the Equifax breach. I keep an eye on all credit cards so I am not blindsided.
However, my AMEX Skymiles card was used by thieves (long distance/small amounts) but AMEX notified me immediately. I have security protocols in place for when I shop online. It’s all I can do. I put limits on transactions so I always receive confirmation when cards are used.
Debbie,
You have done everything right! AMEX has a history with me of alerting me about unusual activity.
I haven’t traveled abroad in far too long but when I went every year I think I notified my credit card company in advance.
There’s no such thing as “safe” in the cyberworld, so no, any such assurances are worthless, and if not changing card or bank, would have account numbers changed. Since credit cards represent greedy entities collecting even from “starving children” charities, I send checks for donations.
Lucrezia,
I pay by check whenever I can to protect myself. I forgot about the fees that credit card companies charge, although come to think of it I’ve noticed that when I’ve had to use a credit card to support some nonprofits I’ve been asked to contribute another few dollars to cover the fee.