Information and software program providers agency Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the USA Federal Commerce Fee (FTC) in a damning autopsy of the enterprise’s February 2020 knowledge breach.
In accordance with the FTC, Blackbaud’s poor safety breach in February 2020 led to a hacker accessing the corporate’s buyer databases and stealing private info of hundreds of thousands of shoppers in the USA, Canada, the UK, and the Netherlands.
Blackbaud’s affected clients are primarily non-profits, similar to healthcare businesses, charities, and academic organizations.
Information stolen by the hacker included unencrypted private info, similar to shoppers’ and donors’ full names, ages, dates of beginning, social safety numbers, addresses, telephone numbers, electronic mail addresses, monetary particulars (checking account info, estimated wealth, and recognized property), medical and medical insurance info, gender, spiritual beliefs, marital standing, partner names, spouses’ donation historical past, employment particulars, salaries, training, and account credentials.
The safety failure was exacerbated by Blackbaud not imposing its personal knowledge retention insurance policies, inflicting buyer knowledge to be saved for years longer than obligatory. Blackbaud additionally retained knowledge of former and potential clients for years longer than required.
All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to reveal the stolen knowledge. The corporate paid 24 Bitcoin (price US $235,000) to the hacker, however was not capable of confirm if the deleted the info.
The poor knowledge retention practices weren’t the FTC’s solely complaints about Blackbaud’s dealing with of the incident.
The FTC criticized the corporate for not notifying clients of the breach for 2 months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”
In accordance with Blackbaud’s buyer breach notification of July 16, 2020, “The cybercriminal didn’t entry bank card info, checking account info, or social safety numbers… No motion is required in your finish as a result of no private details about your constituents was accessed.”
Nonetheless, in keeping with the FTC, Blackbaud knew by the top of July that the attacker had taken shoppers’ checking account numbers and social safety numbers, however did not disclose this to its purchasers till October 2020.
The FTC’s verdict was damning:
“Blackbaud’s misleading statements, mixed with the months’ lengthy delay in offering correct discover concerning the breach, led many purchasers to consider that notification to their shoppers was pointless. Attributable to this delay in discover, shoppers suffered further hurt as a result of they’d no solution to know that they wanted to take any mitigating steps to guard themselves from id theft.”
The FTC’s full report makes stunning studying, revealing that Blackbaud “failed to watch makes an attempt by hackers to breach its networks, section knowledge to forestall hackers from simply accessing its networks and databases, guarantee knowledge that’s now not wanted is deleted, adequately implement multifactor authentication, and take a look at, overview and assess its safety controls” and that it “allowed workers to make use of default, weak, or equivalent passwords for his or her accounts.”
As a part of a settlement with the FTC, Blackbaud has been ordered to harden its safety and delete pointless buyer knowledge.
“Blackbaud’s shoddy safety and knowledge retention practices allowed a hacker to acquire delicate private knowledge about hundreds of thousands of shoppers,” mentioned Samuel Levine, Director of the FTC’s Bureau of Shopper Safety. “Firms have a accountability to safe knowledge they keep and to delete knowledge they now not want.”
Final 12 months, Blackbaud agreed to pay a $3 million cost from the SEC for deceptive disclosures about its ransomware assault, omitting necessary info in a quarterly report, and “misleadingly characterised” the danger as “hypothetical.”
Blackbaud agreed to pay $49.5 million to settle claims introduced by the legal professional generals of 49 US states and Washington DC.
Blackbaud’s failure to safe its techniques and entrusted knowledge has been very expensive for the corporate (fined, status broken), non-profit purchasers, and the general public susceptible to id theft by no fault of their very own.
