Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.
Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.
Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.
On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:
In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.
This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.