Major U.S. cloud software provider Blackbaud has agreed to bolster its security defenses and remove unneeded customer data from its systems to settle charges by the Federal Trade Commission alleging …
Data and software services firm Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.
According to the FTC, Blackbaud’s poor security breach in February 2020 led to a hacker accessing the company’s customer databases and stealing personal information of millions of consumers in the United States, Canada, the UK, and the Netherlands.
Blackbaud’s affected customers are mainly non-profits, such as healthcare agencies, charities, and educational organizations.
Data stolen by the hacker included unencrypted personal information, such as consumers’ and donors’ full names, ages, dates of birth, social security numbers, addresses, phone numbers, email addresses, financial details (bank account information, estimated wealth, and identified assets), medical and health insurance information, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment details, salaries, education, and account credentials.
The security failure was exacerbated by Blackbaud not enforcing its own data retention policies, causing customer data to be kept for years longer than necessary. Blackbaud also retained data of former and potential customers for years longer than required.
All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to expose the stolen data. The company paid 24 Bitcoin (worth US $235,000) to the hacker, but was not able to verify if the deleted the data.
The poor data retention practices were not the FTC’s only complaints about Blackbaud’s handling of the incident.
The FTC criticized the company for not notifying customers of the breach for two months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”
According to Blackbaud’s customer breach notification of July 16, 2020, “The cybercriminal did not access credit card information, bank account information, or social security numbers… No action is required on your end because no personal information about your constituents was…
Software provider Blackbaud has reached a multimillion-dollar agreement with 49 states over charges connected to a massive 2020 ransomware breach which impacted 13,000 non-profit customers.
Blackbaud first revealed the incident in July 2020, but attorneys general in dozens of US states subsequently took legal action against the firm after claiming it had concealed the extent of the breach and the volume of records taken.
These included Social Security numbers, healthcare information and financial details related to donors of many of Blackbaud’s charity customers. Over one million files were ultimately compromised by threat actors in the breach.
The South Carolina-based firm, which produces software to help non-profits raise funds and manage data, paid its extortionists in return for ‘assurances’ that they had deleted the stolen data. It’s a move that was heavily criticized by security experts at the time, as there’s a strong probability in such cases that threat actors may end up monetizing the data in any case.
Blackbaud has already been forced to settle in a separate case, paying $3m to the SEC after the regulator alleged that the firm’s staff had misled investors about the impact of the ransomware breach.
Read more on Blackbaud: Blackbaud Breach Hits Nine More Universities.
Under the terms of the new agreement, Blackbaud will accept no wrongdoing for the incident. However, it has agreed to fortify its data security, improve customer notification if another breach occurs and have a third party assess compliance with the terms of the settlement for a seven-year period.
The settlement funds will be paid by the end of October.
Among Blackbaud’s extensive client list, compromised organizations included hospitals, charities, religious organizations and numerous universities both in and outside the US.
These include University College Oxford, the University of London, Canada’s Ambrose University, the University of York, the Rhode Island School of Design, Human Rights Watch and mental health charity Young Minds.
Editorial image credit: Pavel Kapysh / Shutterstock.com
Cloud computing firm Blackbaud is the latest company to find itself targeted by SEC, which alleges the company botched its response to a 2020 ransomware attack. To settle the matter, Charleston, South …