FTC orders Blackbaud to heighten security after data breach

The Federal Trade Commission (FTC) has settled with Blackbaud following charges of inadequate security measures and careless data retention protocols that led to a massive data breach.

What happened?

Blackbaud, a cloud-based donor data management software provider, faced FTC  charges for inadequate security and data retention practices following a May 2020 ransomware attack. The breach exposed millions of people's data. The FTC's complaint showed Blackbaud's failure to prevent breaches, implement security measures, delete unnecessary data, and implement adequate password security. 

The FTC settlement mandates Blackbaud to enhance security, accurately represent its data security and data retention protocols, and establish a detailed data retention schedule. Blackbaud has been ordered to promptly report breaches to the FTC for relevant agency reporting. 

Read more:

• Increase online security with a robust password policy
• Common password attacks and how to avoid them
• What are the HIPAA breach notification requirements

The backstory 

In May 2020, Blackbud experienced a ransomware attack and a data breach that affected millions. After being threatened to release the data online, they paid the attackers a ransom of 24 Bitcoin. Despite the ransom being paid, Blackbus has failed to verify data deletion. 

In July 2020, Blackbaud announced that a breach had occurred and subsequently disclosed that it affected the data of more than 13,000 business customers and their clients across the United States, Canada, the United Kingdom, and the Netherlands. The compromised information included banking details, social security numbers, and plain text login credentials.

In September 2020, Blackbud submitted an 8-K filing with the U.S. Securities and Exchange Commission (SEC). However, the disclosure downplayed the severity of the breach. By November 2020, the company was already a defendant in 23 proposed class-action lawsuits related to the May 2020 breach in the U.S. and Canada.

Blackbaud settled SEC charges in May 2023 by paying $3 million. Furthermore, the company resolved a joint multi-state investigation initiated by attorneys general from all but one U.S. state in October for $49.5 million to compensate for the breach incident.

See also: HIPAA Compliant Email: The Definitive Guide

What was said?

A complaint filed by the FTC claimed that Blackbud "failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls." It also "allowed employees to use default, weak, or identical passwords for their accounts." This made it easier for the attackers to access Blackbud’s network. 

Samuel Levine, Director of FTC's Bureau of Consumer Protection, emphasized that “companies have a responsibility to secure data they maintain and to delete data they no longer need,” which Blackbaud has failed to do. 

In a joint statement, FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya emphasized that "Blackbaud's failure to accurately convey the scope and severity of the breach kept victims in the dark and delayed them from taking protective actions, making a bad situation even worse."

Related: Guide to HIPAA compliant password requirements

Why it matters

When companies fail to implement, follow, and educate their employees on cybersecurity measures, they open the door for cybercriminals to gain access to sensitive data. This compromises the security of the data, leading to breaches that have different penalties depending on the industry. 

A failure to accurately disclose the severity of the breach can, and will, only worsen the situation by not allowing the infected individuals an opportunity to protect the data they hand over to the company. 

This cyberattack demonstrates data breaches' broader societal and economic implications and the importance of proactive measures to prevent them.

FAQs

What is ransomware, and how does it work?

Ransomware is malicious software designed to block access to a computer system or files until money is paid. It typically encrypts files or locks the entire system, and the attackers demand payment (usually in cryptocurrency) to unlock them.

Go deeper: What is ransomware and how to protect against it

What are data breaches, and how do they occur?

Data breaches involve unauthorized access to sensitive information, such as personal or financial data, resulting in exposure or misuse. Breaches can occur due to various factors, including cyberattacks, insider threats, weak security controls, or human error.

Go deeper: Understanding HIPAA violations and breaches

How can organizations protect themselves from ransomware attacks and data breaches?

Organizations can protect themselves by practicing good cybersecurity hygiene, such as avoiding clicking on suspicious links or attachments, using strong and unique passwords, enabling two-factor authentication, keeping software updated, and being cautious when sharing personal information online.