After suffering a devastating ransomware attack in 2020, Blackbaud, a US-based cloud software company, has been heavily criticized by authorities for its significant cybersecurity failures. As a supplier specializing in financial, fundraising, and administrative software for educational institutions and non-profits, Blackbaud’s breach affected multiple UK universities and various non-profit organizations. The compromised data included information from notable institutions like the National Trust and the Labour Party’s donor records.
However, it was discovered that Blackbaud mishandled the incident at every turn, neglecting proper incident response protocols. The attack occurred in February 2020, but Blackbaud did not inform the victims until almost two months later. Furthermore, the company publicly admitted to paying a ransom of 24 bitcoin in exchange for the promised deletion of the stolen data but failed to confirm if the data was actually removed.
The US Federal Trade Commission (FTC) filed a complaint on February 1st, stating that Blackbaud had not implemented adequate safeguards to protect its customers’ data and had deceived them with false promises. The FTC accused Blackbaud of neglecting security measures such as monitoring hacking attempts, segregating data to prevent unauthorized access, deleting unnecessary data, implementing multi-factor authentication, regularly testing security controls, and allowing employees to use weak passwords.
The FTC’s complaint highlighted that the intrusion enabled the threat actor to freely roam within Blackbaud’s systems, exploiting vulnerabilities and accessing unencrypted data from the company’s customers. Moreover, Blackbaud was retaining customer data for longer than necessary, including data from organizations that were no longer clients.
The FTC condemned Blackbaud for its two-month delay in notifying affected parties, despite knowing that sensitive information, including financial data and US Social Security numbers, had been compromised. This delay left individuals vulnerable to identity theft and other harms. To address these issues, the FTC proposed an order requiring Blackbaud to delete unnecessary data, be transparent about its security practices, develop a comprehensive cybersecurity program, and report any future breaches to the FTC.
Blackbaud has already faced penalties from the US Securities and Exchange Commission for its misleading response to the cyber attack. Additionally, the company agreed to pay $49.5 million to resolve investigations by all 50 US states, which concluded that Blackbaud violated state laws and the federal Health Insurance Portability and Accountability Act. Moreover, the Information Commissioner’s Office in the UK reprimanded the company for its actions.