FTC Blasts Blackbaud's 'Shoddy' Practices in Ransomware HackFTC Is Latest Agency to Rebuke Fundraising Firm for Lax Security in 2020 Attack
The Federal Trade Commission is the latest regulatory agency taking action against fundraising and customer relationship management software provider Blackbaud in the aftermath of a 2020 ransomware incident that compromised the data of tens of thousands of clients and millions of consumers.
See Also: Healthcare Sector Threat Brief
The FTC on Thursday said it has ordered South Carolina-based Blackbaud to delete personal data that is no longer needed and to implement a long list of security improvements in the wake of the hack that affected millions of Social Security and bank account numbers (see: Blackbaud Expects Cyber Insurer Will Cover Most Attack Costs).
"Blackbaud's shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in statement. "Companies have a responsibility to secure data they maintain and to delete data they no longer need."
The FTC's complaint against the company says that on Feb. 7, 2020, an attacker gained access to Blackbaud's self-hosted legacy product databases and remained undetected for over three months, until May 20, 2020, when a member of the firm's engineering team identified a suspicious login on a backup server.
"By the time Blackbaud discovered the breach, the attacker had stolen data from tens of thousands of Blackbaud's customers, which comprised the personal information of millions of consumers," the FTC said.
By using a Blackbaud customer's login and password to access the customer's Blackbaud-hosted database, the attacker was able to freely move across multiple Blackbaud-hosted environments by compromising existing vulnerabilities and local administrator accounts, subsequently creating new administrator accounts, the FTC said.
The hacker exfiltrated "massive amounts" of consumer data belonging to Blackbaud's customers, including millions of consumers' unencrypted personal information, such as full name, age, birthdate, Social Security number, home address, phone number, email address and financial information - including bank account information, estimated wealth and identified assets, the FTC said.
Medical information was also compromised in the hack, including patient and medical record identifiers, treating physician names, health insurance information, medical visit dates, reasons for seeking medical treatment, gender, religious beliefs, marital status, spouse names, spouses' donation history, employment information - including salary, educational information and account credentials, the FTC said.
"Blackbaud’s deficient encryption practices magnified the severity of the data breach," the FTC said, adding that Blackbaud's failure to implement appropriate data retention policies further exacerbated the severity of the breach. "Blackbaud did not enforce its own data retention policies, resulting in the company keeping customers' consumer data for years longer than was necessary."
Blackbaud eventually agreed to pay 24 bitcoin - valued at $235,000 at the time - in exchange for the attacker's promise to delete the stolen data, the FTC said. "Blackbaud has not been able to conclusively verify that the attacker deleted the stolen data," the agency added.
The FTC cited Blackbaud for a number of FTC Act violations, including deceptive breach notification statements and deceptive statements about its information security practices.
Besides deleting information no longer needed, the FTC's proposed order requires Blackbaud to implement and maintain a comprehensive information security program. That includes a long list of controls and best practices - from requiring multifactor authentication methods for all employees and contractors to encrypting sensitive data, and ensuring the timely investigation of data security events and remediation of critical and high-risk security vulnerabilities.
Other Regulatory Actions
The FTC's proposed settlement with South Carolina-based Blackbaud is the latest government regulatory enforcement action taken against the company in the wake of the hacking incident.
Last fall, Blackbaud agreed to pay $49.5 million to settle an investigation by the attorneys general of 48 states, plus the District of Columbia, into the company's data security practices in light of the ransomware attack (see: Blackbaud Pays $49.5M to Settle With State AGs in Breach).
Like the FTC's order against Blackbaud, that multistate settlement required the company to implement data security improvements. They included network segmentation, encryption, patch management, reporting of security incidents to its CEO and board, and a pledge to refrain from misrepresenting details of its data security practices.
In addition, in March 2023, the U.S. Securities and Exchange Commission ordered Blackbaud to pay a $3 million civil penalty after regulators had determined that the company filed an August 2020 quarterly report that omitted facts about its cybersecurity incident by not disclosing that hackers had obtained unencrypted bank account and Social Security numbers (see: Blackbaud to Pay $3 Million Over 'Erroneous' Breach Details.
But U.S. federal and state regulators aren't the only government entities taking action against Blackbaud.
Britain's Information Commissioner's Office reprimanded the company in September 2021 without levying a fine. Reprimands typically detail the ways in which the privacy watchdog thinks an organization has violated the U.K.'s General Data Protection Regulation and make recommendations for addressing these shortcomings.
Blackbaud did not immediately respond to Information Security Media Group's request for comment on the FTC's proposed settlement.
The FTC said it will publish a description of the consent agreement package in the Federal Register "soon." The order will be open to public comment for 30 days. Once the public feedback has been closed and reviewed, the FTC will decide whether to make the proposed consent order final.