FTC slams Blackbaud for "shoddy security" after hacker stole data belonging to thousands of non-profits and millions of people

Data and software services firm Blackbaud's cybersecurity was criticised as "lax" and "shoddy" by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.

According to the FTC, Blackbaud’s poor security breach in February 2020 led to a hacker accessing the company’s customer databases and stealing personal information of millions of consumers in the United States, Canada, the UK, and the Netherlands.

Blackbaud’s affected customers are mainly non-profits, such as healthcare agencies, charities, and educational organizations.

Data stolen by the hacker included unencrypted personal information, such as consumers’ and donors’ full names, ages, dates of birth, social security numbers, addresses, phone numbers, email addresses, financial details (bank account information, estimated wealth, and identified assets), medical and health insurance information, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment details, salaries, education, and account credentials.

The security failure was exacerbated by Blackbaud not enforcing its own data retention policies, causing customer data to be kept for years longer than necessary. Blackbaud also retained data of former and potential customers for years longer than required.

All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to expose the stolen data. The company paid 24 Bitcoin (worth US $235,000) to the hacker, but was not able to verify if the deleted the data.

The poor data retention practices were not the FTC’s only complaints about Blackbaud’s handling of the incident.

The FTC criticized the company for not notifying customers of the breach for two months after detection, saying Blackbaud had "misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation."

According to Blackbaud’s customer breach notification of July 16, 2020, "The cybercriminal did not access credit card information, bank account information, or social security numbers… No action is required on your end because no personal information about your constituents was accessed."

However, according to the FTC, Blackbaud knew by the end of July that the attacker had taken consumers’ bank account numbers and social security numbers, but didn't disclose this to its clients until October 2020.

The FTC’s verdict was damning:

"Blackbaud’s deceptive statements, combined with the months’ long delay in providing accurate notice about the breach, led many customers to believe that notification to their consumers was unnecessary. Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft."

The FTC’s full report makes shocking reading, revealing that Blackbaud "failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls" and that it "allowed employees to use default, weak, or identical passwords for their accounts."

As part of a settlement with the FTC, Blackbaud has been ordered to harden its security and delete unnecessary customer data.

"Blackbaud's shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "Companies have a responsibility to secure data they maintain and to delete data they no longer need."

Last year, Blackbaud agreed to pay a $3 million charge from the SEC for misleading disclosures about its ransomware attack, omitting important information in a quarterly report, and "misleadingly characterized" the risk as "hypothetical."

Blackbaud agreed to pay $49.5 million to settle claims brought by the attorney generals of 49 US states and Washington DC.

Blackbaud’s failure to secure its systems and entrusted data has been very costly for the company (fined, reputation damaged), non-profit clients, and the public at risk of identity theft through no fault of their own.