Data and software program providers agency Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the United States Federal Trade Commission (FTC) in a damning autopsy of the enterprise’s February 2020 knowledge breach.
According to the FTC, Blackbaud’s poor safety breach in February 2020 led to a hacker accessing the corporate’s buyer databases and stealing private data of thousands and thousands of shoppers within the United States, Canada, the UK, and the Netherlands.
Blackbaud’s affected prospects are primarily non-profits, similar to healthcare businesses, charities, and educational organizations.
Data stolen by the hacker included unencrypted private data, similar to shoppers’ and donors’ full names, ages, dates of delivery, social safety numbers, addresses, cellphone numbers, e mail addresses, monetary particulars (checking account data, estimated wealth, and recognized belongings), medical and medical health insurance data, gender, non secular beliefs, marital standing, partner names, spouses’ donation historical past, employment particulars, salaries, training, and account credentials.
The safety failure was exacerbated by Blackbaud not implementing its personal knowledge retention insurance policies, inflicting buyer knowledge to be stored for years longer than vital. Blackbaud additionally retained knowledge of former and potential prospects for years longer than required.
All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to show the stolen knowledge. The firm paid 24 Bitcoin (value US $235,000) to the hacker, however was not capable of confirm if the deleted the info.
The poor knowledge retention practices weren’t the FTC’s solely complaints about Blackbaud’s dealing with of the incident.
The FTC criticized the corporate for not notifying prospects of the breach for 2 months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”
According to Blackbaud’s buyer breach notification of July 16, 2020, “The cybercriminal didn’t entry bank card data, checking account data, or social safety numbers… No motion is required in your finish as a result of no private details about your constituents was accessed.”
However, based on the FTC, Blackbaud knew by the top of July that the attacker had taken shoppers’ checking account numbers and social safety numbers, however did not disclose this to its shoppers till October 2020.
The FTC’s verdict was damning:
“Blackbaud’s misleading statements, mixed with the months’ lengthy delay in offering correct discover in regards to the breach, led many purchasers to consider that notification to their shoppers was pointless. Due to this delay in discover, shoppers suffered further hurt as a result of that they had no option to know that they wanted to take any mitigating steps to guard themselves from id theft.”
The FTC’s full report makes surprising studying, revealing that Blackbaud “failed to watch makes an attempt by hackers to breach its networks, phase knowledge to forestall hackers from simply accessing its networks and databases, guarantee knowledge that’s not wanted is deleted, adequately implement multifactor authentication, and check, evaluate and assess its safety controls” and that it “allowed staff to make use of default, weak, or similar passwords for his or her accounts.”
As a part of a settlement with the FTC, Blackbaud has been ordered to harden its safety and delete pointless buyer knowledge.
“Blackbaud’s shoddy safety and knowledge retention practices allowed a hacker to acquire delicate private knowledge about thousands and thousands of shoppers,” stated Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a duty to safe knowledge they keep and to delete knowledge they not want.”
Last yr, Blackbaud agreed to pay a $3 million cost from the SEC for deceptive disclosures about its ransomware assault, omitting necessary data in a quarterly report, and “misleadingly characterised” the chance as “hypothetical.”
Blackbaud agreed to pay $49.5 million to settle claims introduced by the legal professional generals of 49 US states and Washington DC.
Blackbaud’s failure to safe its programs and entrusted knowledge has been very pricey for the corporate (fined, status broken), non-profit shoppers, and the general public vulnerable to id theft by means of no fault of their very own.