Criticism Aims at Blackbaud’s Inability to Safeguard Customers from Breaches

After suffering a devastating ransomware attack in 2020, Blackbaud, a US-based cloud software company, has been heavily criticized by authorities for its significant cybersecurity failures. As a supplier specializing in financial, fundraising, and administrative software for educational institutions and non-profits, Blackbaud’s breach affected multiple UK universities and various non-profit organizations. The compromised data included information from notable institutions like the National Trust and the Labour Party’s donor records.

However, it was discovered that Blackbaud mishandled the incident at every turn, neglecting proper incident response protocols. The attack occurred in February 2020, but Blackbaud did not inform the victims until almost two months later. Furthermore, the company publicly admitted to paying a ransom of 24 bitcoin in exchange for the promised deletion of the stolen data but failed to confirm if the data was actually removed.

The US Federal Trade Commission (FTC) filed a complaint on February 1st, stating that Blackbaud had not implemented adequate safeguards to protect its customers’ data and had deceived them with false promises. The FTC accused Blackbaud of neglecting security measures such as monitoring hacking attempts, segregating data to prevent unauthorized access, deleting unnecessary data, implementing multi-factor authentication, regularly testing security controls, and allowing employees to use weak passwords.

The FTC’s complaint highlighted that the intrusion enabled the threat actor to freely roam within Blackbaud’s systems, exploiting vulnerabilities and accessing unencrypted data from the company’s customers. Moreover, Blackbaud was retaining customer data for longer than necessary, including data from organizations that were no longer clients.

The FTC condemned Blackbaud for its two-month delay in notifying affected parties, despite knowing that sensitive information, including financial data and US Social Security numbers, had been compromised. This delay left individuals vulnerable to identity theft and other harms. To address these issues, the FTC proposed an order requiring Blackbaud to delete unnecessary data, be transparent about its security practices, develop a comprehensive cybersecurity program, and report any future breaches to the FTC.

Blackbaud has already faced penalties from the US Securities and Exchange Commission for its misleading response to the cyber attack. Additionally, the company agreed to pay $49.5 million to resolve investigations by all 50 US states, which concluded that Blackbaud violated state laws and the federal Health Insurance Portability and Accountability Act. Moreover, the Information Commissioner’s Office in the UK reprimanded the company for its actions.

Unlock your business potential with our expert guidance. Get in touch now!

tr_20250117-easy-ways-to-ruin-your-smartphone.jpg

Frequent Reasons for Phone Damage

tr_20250117-office-365-windows-10-end-support.jpg

Microsoft to Discontinue Support for Office 365 Applications on Windows 10 in October

business-leadership-boats-adobe.jpg

The Diminishing Tenure of CIOs: Implications and Significance

AdobeStock_485825620.jpg

The Top 6 Crypto-Friendly Banks Assessed for 2025

post-office-istock.jpg

How the Post Office’s Military Culture and the ‘Infallible Computers Illusion’ Ruined Lives

tr_20250115-google-workspace-gemini-pricing-plans.jpg

Google Workspace Plans to Experience Price Increase as Gemini AI Rolls Out to All Levels

IT-failure-downtime-error-stress-2-adobe.jpeg

The Hidden Emotional Toll of Cyber Attacks on Employees