St. Andrew's Episcopal School notified parents their data was stolen in a ransomware attack on it's security provider. The school sent out this letter to parents last week.
Kingfish note: So let's get this straight. The attack happened in May. Blackbaud did not notify St. Andrew's about the attack until July. The company did not notify the school that well, um, you see, some student information might, just might, have been stolen until September 29 but don't worry, we confirmed the ransomers destroyed all info. Of course, the school didn't notify the parents until December 8, over two months later.
Bleepingcomputer reported on November 3:
Leading cloud software provider Blackbaud has been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the ransomware attack that the company suffered in May 2020.
Blackbaud has operations in countries around the world including the United States, the United Kingdom, Australia, and Canada.
The ransomware attack directly responsible for the software provider being sued was disclosed by the company on July 16, 2020.
The organizations impacted by the ransomware attack on Blackbaud include a long list of entities such as charities, non-profits, foundations, and universities from the U.S., Canada, the U.K., and the Netherlands.
The company said that it managed to block the attackers from completely encrypting its systems but not before stealing "a copy of a subset of data" from a self-hosted environment.
Blackbaud paid the ransom requested by the attackers after they confirmed that the stolen data was destroyed. Rest of article.
The company stated in its 2nd quarter SEC filing:
St. Andrews has not sued Blackbaud.
36 comments:
What exactly would the school sue them for? Those lawsuits fail regularly.
Kingfish, 2 months to investigate, determine impact, and mitigate the threat is not unusual. The last thing you want to do when dealing with a breach is let the entire world know about it and become an even bigger target. It doesn't "feel" right, but Blackbaud's response is pretty normal. I can't speak for how St. Andrews handled it.
Totally understand what you mean. However, the parents still didn't find out until 7 months later.
Data is complicated, and it often takes time to complete the forensics to determine whose information was actually compromised.
The criminals promised not to misuse the data. Sounds believable....not.
That data is the complete package, i.e. a goldmine for identify theft for years to come.
7-months? Unacceptable and irresponsible.
As a St. Andrew's parent and well aware of this issue even beyond your reporting Kingfish, I am totally satisfied with the way the school handled it. The timing is justified based on the investigations and legal determinations that were involved during the period between the notification to the school and the notification to the parents.
Thank you for your concern, but until you are aware of all the things that occurred between those dates, your opinion is of little value.
As an Alumnus I am totally not satisfied. Why, after graduating 9 years ago, has St. Andrew's retained by social security number? Credit monitoring is only a band-aid and not fool-proof. Damn right I'm suing if I incur damages.
Slow news day? I get one of these letters about once a month it seems like.
@12:39pm - Definitely sounds like a St. Andrews parent.
Well St. Andrew's parent, you told Kingfish! KF go to your room!
I have a question for St. Andrew's parents. Is the education worth the cost? I am only speaking of the classroom aspect. The social aspect does not concern me.
Equifax waited for months and their stock went up. And the state settled for peanuts. its all rigged
Does anyone really care?
1:38 - Well, they claim to be, so there's that.
What the hell sort of secret data is there on a high school kid anyway? They no longer record date of last period or known diseases or all that confidential, dreaded, permanent-record type stuff such as deportment and ability to get along with others.
As a 65+ citizen, I can't understand all the folks that get their panties up their crack over their SSN. Hell, mine has been distributed through so many means over the decades it would be hard to count. There was a time, although after a couple of decades, many people's driver's license numbers were their SSN (not mine, it was issued before that practice started).
And with all the hacking that seems to be occurring today, I'm sure mine has been develved mamu times in recent history unknown to me.
And yet, I've never had any breach of any account - other than all the annoying telephone calls offering me to update my Microsoft account, sell me vehicle insurance, medicare options, final expense plans, and offsetting my student debt. None of which I attribute to the many number of places my SSN has been placed over the 50+ years I have held it.
The SEC filing says "To date, we have received . . . from 43 state Attorneys General . . . " I wonder if Mississippi AG Lynn Fitch is going to join this one. Probably not, unless there are political points to score with the national GOP.
"until you are aware of all the things that occurred between those dates, your opinion is of little value." That's what discovery is for, and it won't happen without a lawsuit.
SA parent here: did not get the letter, guess only part of the student body was affected. But got similar letters from my health care provider, my employer, and from several online stores, all much higher fish than SA. That’s the new world. Don’t trust the government, don’t trust anyone else. Monitor your data yourself! That’s as basic as brushing your teeth. Don’t complain if you don’t do it...
Had my identity stolen. Took two+ years to unwind. Getting the credit bureaus to correct their records was the hardest part.
Wait...this could easily to the discovery of hundreds of parents lying about their income and marital status. Wait'll that shit hits the gossip fan.
I'm with @3:08. Never have understood the big deal about SSN's. They've been out in the public domain for about 50 years and then some dumbass decides that we need to hide them and everyone runs for cover. Stupid. There's tons of places to find them including what someone said about the drivers license. The horse is out of the barn on this one, folks. Adjust your tin foil and move on. Same with bank routing and checking account numbers. I guess everyone closes their eyes when they cash a check.
KF is bold. If you attack the whitest, wealthiest, and most privileged group of snowflakes in town there will be consequences. Floods of Volvo and bmw drivers will begin to dox you or hire out a DDOs attack. Whoever got this info hit a potential future goldmine
USM Foundation had same thing and I received the same boilerplate letter months later.
An organization should not collect information it cannot protect. Once you require someone to give you their info, you're responsible for it.
6:10 - from all the big privates in town, SA is probably the most diverse. For whitest you probably have to go with Prep or MRA. Wealthiest? Not sure. Hard to tell. Though definitely more new money, lots of doctors, lots of working moms, many born outside MS. And yes, they prefer to spend their money on their kid’s’ education. Prep and JA are more old money, with many stay at home moms, already for generations in town.
@5:38, Go ahead and post your SSN. If it is no big deal, put your SSN where you big mouth is and post it.
@8:37 - here it is, genius. 464-61-4612 knock yourself out.
5:58, make sure to include your date of birth and banking information, seeing as how "the horse is already out of the barn," and it's really no big deal.
There's a reason criminals pay for that information, and it's not because they're generous.
SSNs are NOT on driver licenses. And bank routing numbers are not on checks you cash unless you wrote a check and cashed it at your bank, in which case they have your numbers since they issued the damned things. Dummy.
@12:14 AM - WRONG
Your account and routing # are at the bottom of your checks in magnetic ink. Who's the dummy now?
@12:14 - for years in Mississippi your driver’s license number was your SS number. It wasn’t all that many years ago that it changed to the current system. And your bank routing and account number is on every check you write to anyone. Dummy
7am is correct. I remember when the DLs had to change from SS numbers.
It wasn’t all that many years ago that it changed to the current system.
How many years ago?
Yes, you routing and account numbers are on checks, but who writes checks to criminals in the first place? Who even writes checks, except Karens who hold up the line at Kroger.
State used SSN as DL number until late 80s or early 90s.
I turned 16 in the mid-90s and definitely had SSN on the license, but recall then there was an option to have a DL # assigned.
When I went to Miss. State in the very early 80's after we took a test, the professors I had would post grades on the walls of the hall outside the classroom doors with your SS# next to your letter grade. It was not a big deal. No one did anything with them. A teacher/person selling you lunch, whatever would ask you your social, which was also on our student id card. It was used for "everything" that I remember... to buy something to eat, you gave it, whatever.
Fast forward to the Twilight Zone time we live in now and I cannot even recall all the times (several) I have been notified that our info was compromised. So, after the last big one a few years ago I froze our credit with the three major credit bureaus. It works great and we just unfreeze it if we need to for any reason--that has only happened twice and I did it online. In this day and age, nothing is safe anymore. Have had someone use our debit without our debit ever being out of possession. Different times indeed.
Also, off the subject but I also went to high school in a time where most of the boys had gun racks in the back of their trucks, etc. and they had guns on campus on those racks, and nothing ever happened, nor did anyone think it was strange or say anything. We live in such different times now.
"When I went to Miss. State in the very early 80's after we took a test, the professors I had would post grades on the walls of the hall outside the classroom doors with your SS# next to your letter grade. It was not a big deal. "
I was at Ole Miss at the same time.
There's no doubt a few professors did the same up there as well.
Personally I don't recall such . . . but I knew going into an exam if I would pass or fail.
But getting the right table for Happy Hour was actually a bigger concern back then.
" also went to high school in a time where most of the boys had gun racks in the back of their trucks, etc. and they had guns on campus on those racks, and nothing ever happened, nor did anyone think it was strange or say anything. We live in such different times now."
Amen Brother !
Same at my High School,
No one ever was shot, and by the time we moved into the dorms and/or frat houses at Ole Miss,
there was more firepower in our closets than at many military bases.
And ya'll had even more firepower down at MSU.
LOL !
Post a Comment