A cyberattack on a company that services Catholic schools in the Fall River Diocese may have exposed personal data of as many as 3,500 people, according to the diocese.
While the information could include Social Security numbers and vendor tax IDs, it did not include credit card information, the diocese said.
It also said it’s not aware of anyone suffering loss or experiencing any problems with their personal data because of the breach. The diocese is recommending that anyone who may have been impacted take advantage of free credit monitoring services it offers “out of an abundance of caution.”
The ransomware attack targeted Blackbaud, a software service provider for the diocese’s Catholic Schools Office. The diocese encompasses communities in Bristol County and includes St. John The Evangelist Elementary School in Attleboro, St. Mary’s-Sacred Heart Elementary in North Attleboro, St. Mary’s Elementary School in Mansfield and the diocesan high school Bishop Feehan in Attleboro.
The diocese did not announce which schools were impacted, but letters dated Nov. 6 went out to families of students in area schools who may have had tuition accounts.
The letter says Blackbaud’s software is used as an accounting platform for the schools office as well as other schools and non-profit organizations.
According to the Charleston, S.C., company’s website, it discovered and stopped a ransomware attack in May. The company’s own security team along with outside experts and law enforcement blocked the attack and prevented further damage, but not before some information was copied. The company says it did pay a ransom demand after determining the information had been destroyed.
“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” Blackbaud said.
“We sincerely apologize that this happened and will continue to partner closely with our customers as we jointly navigate this cybercrime incident,” it said on its website.
The company originally thought that all sensitive data was protected, but later discovered some unencrypted tables and older data that may have included information on local clients, Fall River diocese officials said.
Kevin Kiley, the chancellor and chief financial officer for the diocese, responding to an email from The Sun Chronicle, wrote that officials have had no reports of any security issues for individuals who might have been impacted.
In addition, officials have “spoken with numerous individuals since the letter was sent out and recommended to all that they take advantage of the free credit monitoring services out of an abundance of caution.”
The schools have converted from the legacy version of the system where the old, unused data was found, Kiley said.
Blackbaud has also hired third parties to monitor the dark web to ensure that no data was copied prior to return, and a firm to assist them with reviewing all security procedures, he added.
According to Kiley, “Blackbaud has now encrypted the data in the system tables and communicated that they intend to delete the old, unused tables by the end of 2020. Note too that the Catholic Schools Office now uses a third party for tuition payment processing (FACTS).”
Social Security data is no longer collected by any diocesan schools nor has it been for several years, he added.
The diocese still has a contract with Blackbaud, but has recently started evaluating new software options, Kiley said.
“The chancery’s financial databases are stored on Blackbaud hosted servers that were not part of the security breach,” he wrote.
The diocese is providing potentially affected parties with access to monitoring services at no charge for up to two years.
In a separate recent incident, Attleboro’s Fuller Hospital was impacted when its parent company, Universal Health Care, one of the largest health care companies in the country, was hit by a cyber-attack.
It only managed to restore its information technology network by early October after shutting it down to stop the Sept. 27 attack from spreading.
The company has maintained that no patient or employee data was compromised by the attack.
Ransomware attacks have crippled everything from major cities to school districts. Earlier this year, a major supplier of software services to state, county and local governments, Tyler Technologies, was hit.
In the U.S. alone, 764 healthcare providers were victimized last year by ransomware, according to data compiled by the cybersecurity firm Emsisoft.
It estimates the overall cost of ransomware attacks in the U.S. to $9 billion a year in terms of recovery and lost productivity. The only way to effectively recover, for those unwilling to pay ransoms, is through diligent daily system data backups.
