Criticism Aims at Blackbaud’s Inability to Safeguard Customers from Breaches

After suffering a devastating ransomware attack in 2020, Blackbaud, a US-based cloud software company, has been heavily criticized by authorities for its significant cybersecurity failures. As a supplier specializing in financial, fundraising, and administrative software for educational institutions and non-profits, Blackbaud’s breach affected multiple UK universities and various non-profit organizations. The compromised data included information from notable institutions like the National Trust and the Labour Party’s donor records.

However, it was discovered that Blackbaud mishandled the incident at every turn, neglecting proper incident response protocols. The attack occurred in February 2020, but Blackbaud did not inform the victims until almost two months later. Furthermore, the company publicly admitted to paying a ransom of 24 bitcoin in exchange for the promised deletion of the stolen data but failed to confirm if the data was actually removed.

The US Federal Trade Commission (FTC) filed a complaint on February 1st, stating that Blackbaud had not implemented adequate safeguards to protect its customers’ data and had deceived them with false promises. The FTC accused Blackbaud of neglecting security measures such as monitoring hacking attempts, segregating data to prevent unauthorized access, deleting unnecessary data, implementing multi-factor authentication, regularly testing security controls, and allowing employees to use weak passwords.

The FTC’s complaint highlighted that the intrusion enabled the threat actor to freely roam within Blackbaud’s systems, exploiting vulnerabilities and accessing unencrypted data from the company’s customers. Moreover, Blackbaud was retaining customer data for longer than necessary, including data from organizations that were no longer clients.

The FTC condemned Blackbaud for its two-month delay in notifying affected parties, despite knowing that sensitive information, including financial data and US Social Security numbers, had been compromised. This delay left individuals vulnerable to identity theft and other harms. To address these issues, the FTC proposed an order requiring Blackbaud to delete unnecessary data, be transparent about its security practices, develop a comprehensive cybersecurity program, and report any future breaches to the FTC.

Blackbaud has already faced penalties from the US Securities and Exchange Commission for its misleading response to the cyber attack. Additionally, the company agreed to pay $49.5 million to resolve investigations by all 50 US states, which concluded that Blackbaud violated state laws and the federal Health Insurance Portability and Accountability Act. Moreover, the Information Commissioner’s Office in the UK reprimanded the company for its actions.

Unlock your business potential with our expert guidance. Get in touch now!

fraud-detection-adobe.jpg

NCA Faces Backlash for Targeting LockBit Gang Leaders

AdobeStock_637240622.jpeg

Top 5 Free Accounting Software Picks for 2024

cyber-security-attack-virus-malware-Skorzewiak-adobe.jpg

Surge in Cyber Attacks, Including Ransomware, Observed Among ConnectWise Users

AdobeStock_263924576.jpeg

Top 6 Accounting Software Choices for Freelancers

post-office-building-old-street-clrcrmck.jpg

Disgraced Post Office CEO has CBE stripped by King Charles

tr_20240222-australian-cyber-security-pros-state-sponsored-attacks.jpg

State-Sponsored Cyber Attacks: A Concern for Cyber Security Professionals

remote-home-work-video-conference-adobe.png

Concerns Rise among Cybersecurity Experts Due to ‘Insignificant’ ConnectWise Vulnerabilities