Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Blackbaud. Show all posts

Blackbaud Faces Criticism for Cybersecurity Lapses After 2020 Data Breach

 



The cloud software company, Blackbaud, has come under fire from authorities for its major cybersecurity failings, stemming from a devastating ransomware attack in 2020. The attack exposed data from numerous educational institutions and non-profits that were clients of Blackbaud, including prominent UK universities and organisations like the National Trust and the Labour Party donors.

The ransomware attack, which began in February 2020 and was detected in May, had severe implications for the affected entities. Blackbaud, however, delayed notifying victims for almost two months and openly admitted to paying a ransom of 24 bitcoin to the attackers, without verifying the deletion of the compromised data.

The US Federal Trade Commission (FTC) has issued a complaint against Blackbaud, accusing the company of failing to implement adequate safeguards to protect customer data. The FTC highlighted Blackbaud's deceptive practices, alleging the company failed to follow recommended incident response best practices, including monitoring unauthorised access attempts, segmenting data, implementing multi-factor authentication, and regularly assessing security controls.

The FTC specifically criticised Blackbaud for retaining customer data beyond necessary periods and allowing its employees to use weak or default passwords. These lapses enabled the threat actor to move freely within Blackbaud's systems, exploiting vulnerabilities, and accessing unencrypted customer data.

In response to these security breaches, the FTC is proposing an order requiring Blackbaud to delete unnecessary data, refrain from misrepresenting its security practices, and establish a comprehensive cybersecurity program. The order would also mandate Blackbaud to notify the FTC promptly in case of future breaches.

This isn't the first time Blackbaud has faced consequences for its actions. The company has previously been penalised by the Securities and Exchange Commission and reached a settlement of $49.5 million with all 50 US states. Last year, it faced reprimands from the UK's Information Commissioner’s Office.

The FTC's complaint emphasises that companies like Blackbaud have a responsibility to secure and manage the data they hold. Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, stated, “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

As we are assimilating another incident of this margin, it draws on the importance of robust cybersecurity measures and prompt incident response in safeguarding sensitive data. The proposed FTC order aims to ensure accountability and adherence to best practices, urging Blackbaud to take decisive steps in enhancing its cybersecurity protocols.

This incident serves as a stark reminder to organisations and individuals alike about the critical need for gearing up their security practices in the face of growing cyber threats. As Blackbaud faces regulatory scrutiny, the broader implications underscore the ongoing challenges and responsibilities associated with protecting sensitive information in the digital age.




Blackbaud Enhances Security Measures Following FTC Settlement


Blackbaud, a major player in U.S. donor data management, recently settled with the Federal Trade Commission (FTC) after facing scrutiny for a ransomware attack in May 2020. This attack led to a substantial data breach affecting millions of individuals. The FTC's concerns revolved around security lapses, including weak passwords and insufficient monitoring of hacking attempts. The settlement marks a crucial step for Blackbaud, emphasising the need for enhanced security measures and data protection.

The FTC's complaint highlighted various security lapses by Blackbaud, including a failure to monitor hacking attempts, inadequate data segmentation, weak password practices, and a lack of multifactor authentication. As part of the settlement, Blackbaud is now mandated to enhance its security measures and delete unnecessary customer data from its systems.

One crucial aspect of the settlement requires Blackbaud to establish a data retention schedule, outlining the rationale behind retaining personal data and specifying a timeline for its deletion. The company is also obligated to promptly notify the FTC in the event of a data breach requiring reporting to relevant authorities.

The FTC alleges that Blackbaud paid a ransom of 24 Bitcoin (worth around $250,000 at the time) to the ransomware gang that stole sensitive personal data. However, the complaint reveals that the company did not verify whether the hacker actually deleted the stolen data. The breach, disclosed in July 2020, impacted over 13,000 Blackbaud business customers and their clients across the U.S., Canada, the U.K., and the Netherlands, exposing banking information, social security numbers, and plaintext credentials.

The aftermath of the breach saw Blackbaud facing 23 proposed class-action lawsuits in the U.S. and Canada by November 2020. In March 2023, the company agreed to pay $3 million to settle SEC charges for failing to disclose the full impact of the ransomware attack. Additionally, in October, Blackbaud agreed to a $49.5 million settlement to resolve a multi-state investigation supported by attorneys general from 49 U.S. states.

FTC Chair Lina M. Khan emphasised the severity of Blackbaud's failure to accurately convey the breach's scope, stating that it kept victims in the dark and delayed necessary protective actions. The settlement not only addresses security measures but also requires Blackbaud to avoid misrepresenting its data security and retention protocols in the future.

This settlement serves as a reminder of the responsibility companies bear in securing and managing the data they handle. It underscores the importance of robust cybersecurity practices, regular monitoring, and prompt disclosure in the event of a breach. As we move through our online experiences, these incidents show how important it is for companies to protect data and be clear with their clients and stakeholders.



Aberystwyth University and others affected by Blackbaud Global Ransomattack


Aberystwyth University, a 148-year-old mid-Wales institution was attacked via a hack on Blackbaud, a US company that deals with education financial management and administration software.

 It was among the 20 institutions that were affected by the ransomware attack including the University of York, Loughborough University, University of London, and University College, Oxford. The welsh university with an influx of 10,000 students every year said, "no bank account or credit card details were taken".

 The ransomware attack occurred around May of this year and targeted Blackbaud which is associated with many education institutes thereby the attack sent shockwaves to at least twenty institutes from the US, UK, and Canada. The company did end up paying the ransom and said that, "confirmation that the copy [of data] they removed had been destroyed" but they were criticized for not informing about the hack and data risk to the victims until July that is after a month of the attack.

According to the law, under General Data Protection Regulation (GDPR) the company is supposed to report a significant data breach to data authorities within 72 hours. Both the UK and Canada data authorities were made aware of a data breach only last week.

 ICO (UK's Information Commissioner's Office) spokeswoman said: "Blackbaud has reported an incident affecting multiple data controllers to the ICO. We will be making inquiries to both Blackbaud and the respective controllers, and encourage all affected controllers to evaluate whether they need to report the incident to the ICO individually."

 Impact on Aberystwyth University

 The 148-year-old institute in Wales reassured that no student data was affected and the "stolen data has now been destroyed and has no reason to believe it was misused".

 Blackbaud confirmed to the university that no financial details of bank or credit were taken. A spokesperson from the university said, "We take data security extremely seriously. We are urgently investigating this incident and are awaiting further details from Blackbaud.

 "We are in the process of contacting those online portal users and recipients of our alumni and supporter e-newsletters whom we believe may have been affected."