The Federal Trade Commission (FTC) has approved a settlement with Blackbaud that settles allegations that the South Carolina company’s poor security protocols made it possible for a hacker to access its system and the personal data of millions of U.S. consumers.
Blackbaud is a company offering fundraising, financial, and administrative software programs and its list of clients consists of numerous non-profits and academic organizations. In February 2020, a hacker exploited security vulnerabilities and acquired access to Blackbaud’s systems. The hacker retained access to those systems for three months before the attack was discovered in May 2020, wherein the attacker moved laterally and extracted sensitive consumer information. Over 13,000 of its clients were impacted and the information of about 1.5 billion donors, patients, and other people was stolen. The attacker, a ransomware gang member, demanded a ransom payment to stop the exposure of the stolen information. Blackbaud sent a 24-bitcoin ransom payment to stop the disclosure of the information.
The FTC’s investigation of Blackbaud claimed violations of the FTC Act, stating that the attack became possible because of “Blackbaud’s poor security and data retention procedures. The FTC claimed that Blackbaud
- failed to keep track of repeated efforts to access its network
- did not segment its system to restrict lateral movement in case of a breach
- did not implement data encryption
- did not patch identified vulnerabilities
- permitted employees to utilize default/weak passwords
- did not apply multifactor authentication
- failed to test and evaluate its security controls
- retained information that the organization no longer required
After paying the ransom, Blackbaud likewise waited two months to send breach notifications to clients and misinformed them concerning the scope of the information that was stolen.
Based on the FTC’s approved settlement terms, Blackbaud needs to follow a data retention plan and erase all information that the organization no longer needs to deliver its products and services. Blackbaud is forbidden to misrepresent its security tactics and data retention guidelines and should create, implement, and retain a complete information security system that looks into all the security problems mentioned in the FTC complaint. In case of another data breach that the company needs to report to a local, state, or government agency, Blackbaud should also alert the FTC.
The FTC settlement does not involve a financial penalty; nevertheless, Blackbaud decided to pay a $3 million settlement to the Securities and Exchange Commission (SEC) for its misleading announcements concerning the data breach. The company also decided to pay a $49.5 million to 50 state attorneys general to settle claims that Blackbaud violated the Health Insurance Portability and Accountability Act (HIPAA) and state regulations. Blackbaud is facing over a dozen class action lawsuits that were filed in association with the data breach combined into one lawsuit. Recently, a federal judge rejected class certification because the plaintiffs did not satisfy their burden of proof concerning ascertainability.
