In a damning post-mortem to the company’s data breach in February 2020, the United States Federal Trade Commission (FTC ) criticized the cybersecurity of data and software services provider Blackbaud as “lax” and” shoddy. “
The FTC claims that a hacker broke into Blackbaud’s customer databases in February 2020 and stole the personal information of millions of customers in the US, Canada, the UK, and the Netherlands.
Non-profit organizations like healthcare organizations, charities, and educational organizations are the majority of Blackbaud’s affected customers.
Unencrypted personal information was stolen by the hacker, including the full names, ages, dates of birth, social security numbers, addresses, phone numbers and email addresses of both consumers and donors, as well as financial information ( bank account information, estimated wealth, and identified assets ), gender, religious beliefs, marital status, spouses ‘ donation histories, employment details, salaries, education, account credentials, medical and health insurance information.
Blackbaud’s failure to enforce its own data retention policies, which resulted in the retention of customer data for years longer than necessary, exacerbated the security failure. Additionally, Blackbaud kept customer and prospective customer data for longer than necessary.
The assailant, who threatened to reveal the stolen data or demanded a ransom from Blackbaud, found all of this to be valuable information. The business gave the hacker 24 Bitcoin, or US$ 235 000, but was unable to confirm whether the data had been deleted.
The FTC had other complaints about Blackbaud’s handling of the incident in addition to his poor data retention practices.
Blackbaud “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation,” according to the FTC, which criticized the business for failing to inform customers of it for two months after it was discovered.
No action is necessary on your part because no personal information about your constituents was accessed, according to Blackbaud’s customer breach notification from July 16, 2020.
However, the FTC claims that Blackbaud was aware of the attacker’s theft of customers ‘ bank account and social security numbers by the end of July but held off on telling its customers until October 2020.
The FTC’s decision was disastrous:
Many customers thought that notification to their customers was unnecessary as a result of Blackbaud’s false claims and the months-long delay in giving accurate notice of the breach. Because they were unaware that they needed to take any mitigating measures to safeguard themselves from identity theft, consumers suffered additional harm as a result of this delay in notice.
The full report from the FTC is shocking to read because it states that Blackbaud “failed to monitor hacker attempts to breach its networks, segment data to make it difficult for hackers to access it, delete data that is no longer necessary, adequately implement multifactor authentication, test, review, and assess its security controls,” and “allowed employees to use default, weak, or identical passwords for their accounts.”
Blackbaud has been told to tighten security and remove pointless customer data as part of a deal with the FTC.
According to Samuel Levine, director of the FTC’s Bureau of Consumer Protection,” Blackbaud had poor security and data retention practices that made it possible for a hacker to obtain private information about millions of consumers.” It is the duty of businesses to protect data they keep and remove it when it is no longer required.
Blackbaud agreed to pay the SEC’s$ 3 million fine last year for falsely disclosing information about its ransomware attack, leaving crucial details out of a quarterly report, and “misleadingly characterizing” the risk as “hypothetical.”
In order to resolve claims made by the attorney generals of 49 US states and Washington, DC, Blackbaud consented to pay$ 49.5 million.
Due to Blackbaud’s failure to protect its systems and entrusted data, the company has suffered severe consequences ( fines, reputation damage ), non-profit clients, and the general public is now at risk of identity theft.