The Federal Trade Commission (FTC) has ordered Blackbaud to implement a raft of security measures after discovering reckless data security and data retention practices. The lax security measures were exploited by a hacker who gained access to Blackbaud’s self-hosted legacy product databases between February 2020 and May 2020 and stole the data of millions of individuals.
Blackbaud is a South Carolina-based software provider, which provides a platform that is used by colleges, nonprofits, and healthcare organizations for donor management and fundraising activities. In February 2020, hackers used a customer’s credentials to access the customer’s Blackbaud-hosted environment. The hacker was able to exploit vulnerabilities to access the databases of other clients and remained undetected in the network for three months. During that time, the data of millions of customers was exfiltrated. The security incident was detected in May 2020 when suspicious activity was detected on a backup server.
Blackbaud was contacted by the hacker who threatened to expose the stolen data unless a ransom was paid. Blackbaud agreed to pay 24 Bitcoin, which at the time was worth $235,000, to prevent the release of stolen data but was unable to conclusively verify that the stolen data had been deleted. Blackbaud initially informed the affected customers that only names, addresses, email addresses, and telephone numbers had been accessed, and credit card information, bank account information, or social security numbers had not been compromised. The FTC said Blackbaud waited 2 months to send the initial notifications, with those notifications sent on July 16, 2023. Blackbaud learned on July 31, 2023, that bank account numbers and Social Security numbers had also been stolen but waited until October 2020 to inform customers.
The FTC determined that Blackbaud had failed to implement reasonable and appropriate security measures to prevent unauthorized access to customer data. Blackbaud failed to monitor logs of activity in information systems to identify unauthorized access, allowed customers to store sensitive data in database fields that were not encrypted, did not adequately segment data or implement multifactor authentication, and did not test or review its security controls. Employees were not prevented from setting default, weak, or identical passwords, and patches were not applied to outdated software in a timely manner. Blackbaud had data retention policies, but they were not enforced, resulting in customer data being retained for years longer than was necessary, which greatly increased the severity of the data breach.
The FTC alleged Blackbaud had violated the FTC Act by engaging in unfair information security practices and unfair data retention practices, issuing inaccurate breach notifications, making deceptive security statements, and issuing deceptive initial breach notifications. “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.” Blackbaud has agreed to delete extraneous data, enforce its data retention policies, and improve its information security program.
Blackbaud has previously been fined $3 million by the U.S. Securities and Exchange Commission (SEC) for leaving out crucial details about the data breach in a September 2020 8-K filing, and was ordered to pay a penalty of $49.5 million to settle a multi-state investigation by attorneys general in 49 states and D.C. Blackbaud has also been named defendant in around 2 dozen class action data breach lawsuits in the U.S. and Canada.