With a hefty settlement fee of $49.5 million, Blackbaud’s cybersecurity nightmare has come to an end.
In a damning finding, the Federal Trade Commission concluded that Blackbaud’s “lax security” is what enabled the threat actors to gain access to sensitive user data.
After a prolonged four-year battle involving numerous organizations and institutions, the ruling was that the provider was liable for the leak of sensitive user data, which included bank account details, Social Security numbers, and login credentials.
The data breach
Blackbaud’s server was breached on May 14th, 2020. As a service provider to international organizations, over 13,000 client accounts were compromised, amounting to over a million users’ data being compromised. Blackbaud’s user base consists of non-profit organizations, universities, and hospitals. The threat actors were able to extract significant user data, but Blackbaud’s security team was able to prevent the hackers from fully accessing the site.
The data they were able to access included users’ Social Security numbers, bank account details, and login credentials. Blackbaud met the ransom requirements and paid 24 bitcoin (approximately $250,000) in exchange for the deletion of the data. It was only a month later, on July 16th, that they started notifying affected organizations and users. This was the first of a series of missteps in this saga.
Following on from the announcement and the widespread panic and outrage that ensued, Blackbaud’s remarks led users to believe that sensitive data was safe, which unfortunately wasn’t true. This misrepresentation of the truth was their second, colossal mistake. In truth, hackers had access to patient health information from hospitals, donor information, bank account details, and login credentials.
Blackbaud has also informed us that its cybersecurity team, independent forensics experts, and law enforcement prevented the criminal from blocking system access and fully encrypting files and expelled the criminal from its system.
Before being removed from the system, the criminal removed a copy of some data. Blackbaud has indicated that the incident occurred from February 7, 2020, through May 20, 2020, affecting nonprofit organizations across the nation. Although system access and full encryption of the files were prevented by Blackbaud’s cybersecurity team, a backup file containing personal information was removed.
Fines and Findings
By 2023, the attorneys general of 49 states across the country had brought forward cases against the software provider. They were able to prove that the provider downplayed the severity of the incident, falsely communicated the extent of the breach, and was liable for the exfiltrated data which, in some cases, was kept on the company’s database long after it was needed.
In a landmark settlement, Blackbaud agreed to a total payout amounting to $49.5 million. Part of the settlement included a commitment to strengthening customer data, improving customer communication and notification in the event of another breach, and outsourcing an external evaluator to assess compliance with the settlement order for a period of seven years.
In January 2024, the Federal Trade Commission (FTC) ordered Blackbaud to develop a comprehensive information security program and to erase all data it no longer needs to provide its services. According to the FTC, Blackbaud:
- Lacked encryption for sensitive data
- Failed to monitor and segment its network
- Did not have strong password requirements
- Lacked multifactor authentication
- Failed to remove and delete data they no longer needed
“Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents,” Attorney General Bonta said, representing the state of California.
Under the order, Blackbaud is required to delete data that it no longer needs to provide its products or services and is prohibited from misrepresenting its data security and data retention policies. The order also requires Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint and put in place a data retention schedule outlining its data deletion practices. It also requires Blackbaud to notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.
Blackbaud’s response
At the height of the crisis, Blackbaud informed users that it paid the cybercriminal a ransom to ensure that the copy was destroyed and had no reason to believe that any data was or wouldl be misused, disseminated, or made public. Further, they identified and eliminated the associated vulnerability that was at issue in this incident and hired its own cybersecurity team to continue monitoring for this type of criminal activity.
In addition, Blackbaud has promised to accelerate its efforts to further strengthen its security controls.
What victims were advised to do
At the time of the incident, organizations that fell prey to the attack were advised to report suspicious activity and/or suspected identity theft to financial institutions and relevant law enforcement authorities.
According to the Identity Theft Resource Center, the Blackbaud data breach affected different organizations differently, requiring various action steps depending on what data was accessed.
In instances where personally identifiable information (PII) was exfiltrated (e.g., Social Security numbers, email addresses, and bank information), customers were largely at risk of identity fraud. A careful step-by-step of recommended guidelines was issued, assisting affected customers in securing their identities and associated accounts.
For entities where sensitive PII was not exposed, the biggest threat was social engineering. Employees of the nonprofit organizations impacted by the breach were warned that they may receive emails that look like they are from an executive in an attempt at spear phishing.
Donors and members of the nonprofit organizations impacted by the breach were also notified that they may receive messages asking to provide their PII to update their contact or financial information. This can be done either directly through the email or through a link that does not actually belong to the nonprofit they are affiliated with. They were advised to verify the validity of all emails that seemed suspicious.
Concluding Thoughts
Blackbaud’s catastrophe and subsequent heavy fines and settlements serve as a cautionary tale. Securing user data is an increasingly important aspect of software service delivery. Threat actors evolve alongside cybersecurity, finding new loopholes to exploit and vulnerabilities to explore. Users, blindly trusting in the assurances provided by companies, expect that sensitive data is protected to the highest standards and that companies take the necessary measures to delete unused data points.
In the case of Blackbaud, the incident was undoubtedly made worse by poor communication timelines, misrepresentations of the truth, and negligence when negotiating with the threat actors. While the settlement order didn’t include any admissions of wrongdoing on the part of Blackbaud, the FTC’s findings and settlement conditions certainly left the burden of rectification squarely in Blackbaud’s court.
