Data and software services company Blackbaud’s cybersecurity was criticized as “lax” and “sloppy” by the U.S. Federal Trade Commission (FTC) in its follow-up investigation into the company’s February 2020 data breach.
According to the FTC, a poor security breach at Blackbaud in February 2020 allowed hackers to access the company’s customer database and steal the personal information of millions of consumers in the United States, Canada, the United Kingdom, and the Netherlands.
Blackbaud’s affected customers are primarily non-profit organizations, including healthcare organizations, charities, and educational institutions.
The data stolen by hackers included unencrypted personal information such as consumers’ and donors’ names, ages, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, and financial details (including bank account information, estimated assets, and identified assets). is included. assets), medical and health insurance information, gender, religious beliefs, marital status, spouse’s name, spousal contribution history, employment details, salary, education and account credentials.
The security failures were further exacerbated by Blackbaud’s failure to enforce its own data retention policies, which resulted in customer data being kept longer than necessary. Blackbaud also kept data from former customers and prospects longer than necessary.
All of this was a treasure trove for attackers who demanded a ransom from Blackbaud or threatened to make the stolen data public. The company paid the hackers 24 bitcoins (equivalent to US$235,000) but was unable to confirm whether the data was deleted.
Poor data retention practices weren’t the FTC’s only complaint about Blackbaud’s handling of the case.
The FTC said Blackbaud “misrepresented the scope and severity of the breach following a highly inaccurate investigation,” and criticized the company for failing to notify customers of the breach for two months after detection.
According to Blackbaud’s customer breach notification from July 16, 2020, “Cybercriminals did not access credit card information, bank account information, or social security numbers… no personal information about your members was accessed, so no action was required on your part. I do not need it.”
However, according to the FTC, Blackbaud has until the end of July to allow attackers to had It collected consumers’ bank account numbers and Social Security numbers but did not disclose them to customers until October 2020.
Here’s what the FTC ruled:
“Blackbaud’s deceptive statements and months-long delay in providing accurate notice of the breach led many customers to believe that notification to consumers was unnecessary. This delay in notification caused additional harm to consumers. Protecting Yourself from Identity Theft “We know we need to take steps to mitigate the risk.”
The FTC’s full report contains shocking details and states that Blackbaud “failed to monitor attempts by hackers to breach its networks, partitioned its data to prevent hackers from easily accessing its networks and databases, and ensured that data was deleted when it was no longer needed.” and failed to properly implement multi-factor authentication.” , and “test, review, and evaluate security controls” and “allow employees to use default, weak, or identical passwords for their accounts.”
As part of the settlement with the FTC, Blackbaud was ordered to strengthen its security and delete unnecessary customer data.
“Blackbaud’s lax security and data retention practices allowed hackers to obtain sensitive personal data on millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Businesses have a responsibility to protect the data they maintain and to delete data they no longer need.”
Last year, Blackbaud agreed to pay a $3 million fine from the SEC for falsely disclosing ransomware attacks, omitting material information from quarterly reports, and “misleading” the risk by “hypothesizing.”
Blackbaud has agreed to pay $49.5 million to settle a lawsuit filed by attorneys general from 49 U.S. states and the District of Columbia.
Blackbaud’s failure to protect its systems and entrusted data resulted in significant costs to the company (fined, damaged reputation), its non-profit customers, and the public who were at risk of identity theft through no fault of their own.
