Federal Trade Commission takes action against Blackbaud for inadequate security practices, seeks orders for it to delete unnecessary data
February 14, 2024 |
The Federal Trade Commission has taken action action against Blackbaud and required it to delete personal data that it does not need. The genesis of this outcome was the poor security practices that let a hacker access a trove of sensitive personal information in 2020, much of it which should not have been kept. The FTC set out the multiple Blackbaud transgressions; failing to segment data, failing to have multi factor authentication and not notifying customers of the breach. In this case, as in many others, a data breach doesn’t reveal one flaw but usually a system wide failure.
The media release provides:
South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.
In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.
As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers.
In addition to failing to encrypt sensitive data and implement adequate firewalls to help protect it, Blackbaud held onto data far longer than was necessary for the purpose for which it was maintained, including information belonging to former customers, according to the complaint.
Once the company detected the breach, Blackbaud agreed to pay a ransom of 24 Bitcoin, worth about $250,000, after the hacker threatened to expose the stolen data. The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint.
At the same time, the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, telling customers they did not need to take any action in response to the breach, according to the complaint. Even though it knew as early as the end of July 2020 that the hacker had obtained sensitive data including Social Security and bank account information, the company waited another two months before it told its customers about the full scope of the breach. The FTC says this delay harmed consumers who were unable to take steps to protect themselves from potential identity theft and other potential harms resulting from the breach.
In addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers, the proposed order will prohibit the company from misrepresenting its data security and data retention policies. The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint. In addition, the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information. The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.
Relevant provisions of the Complaint provides:
- On February 7, 2020, an attacker gained access to Blackbaud’s self-hosted legacy product databases. The attacker purportedly used a Blackbaud customer’s login and password to access the customer’s Blackbaud-hosted database.
- the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts, subsequently creating new administrator accounts.
- the attacker was undetected for over three months, until May 20, 2020, when a member of Blackbaud’s engineering team identified a suspicious login on a backup server.
- by the time Blackbaud discovered the breach, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which comprised of the personal information of millions of consumers
- the exfiltrated files was not encrypted, including consumers’:
- full names,
- age,
- date of birth,
- social security numbers,
- home addresses,
- phone numbers,
- email addresses,
- financial information (including bank account information, estimated wealth, and identified assets),
- medical information (including patient and medical record identifiers, treating physician names,
- health insurance information,
- medical visit dates, and reasons for seeking medical treatment),
- gender,
- religious beliefs,
- marital status,
- spouse names,
- spouses’ donation history,
- employment information (including salary) educational information,
- and account credentials
- Blackbaud’s deficient encryption practices magnified the severity of the data breach by:
- allowing customers to store social security numbers and bank account information in unencrypted fields not specifically designated for those purposes.
- allowing customers to upload attachments containing consumers’ personal information, which Blackbaud did not encrypt.
- not encrypting its database backup files which contained complete customer records from the products’ databases, even for former customers
- Blackbaud did not enforce its own data retention policies, resulting in the company keeping customer’s consumer data for years longer than was necessary.
- Blackbaud failed to notify its customers of the breach for two months after detection. It issued its first notice to its customers on July 16, 2020
- in its July 2020 breach notification, Blackbaud misrepresented the scope and severity of the breach after conducting an exceedingly inadequate investigation.
- although Blackbaud knew, as early as July 31, 2020, as part of its continuing post-breach investigation, that the attacker had exfiltrated consumers’ bank account numbers and social security numbers, Blackbaud did not disclose the extent of the breach to its customers until October 2020. Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft
The FTC found:
- that Blackbaud failed to provide reasonable or appropriate security for the personal information that they collected and maintained about consumers such as by failing to:
- Implement appropriate password controls. As a result of this failure, employees often used default, weak, or identical passwords;
- apply adequate multifactor authentication for both employees and customers to protect sensitive consumer information.
- prevent data theft by monitoring for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s networks; continuously log and monitor its systems and assets to identify data security events; and perform regular assessments as to the effectiveness of protection measures
- Implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network;
- patch outdated software and systems in a timely manner, leaving Respondents’ networks susceptible to attacks;
- test, audit, assess, or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases;
- implement appropriate firewall controls. This failure resulted in an attacker making unauthorized connections from outside of Respondents’ networks; and
- implement appropriate network segmentation to prevent attackers from moving freely across Blackbaud’s networks and databases.
Many of the failings identified by the FTC are typical of failings that Australian businesses have and which are discovered after a data breach. Until recently, and even now to a lesser extent, those failings don’t attract likely regulatory action.
Under the Privacy Act organisations and government bodies with the Australian Privacy Principles. The starting point is often APP 11 requiring APP entities to take reasonable steps to ensure that the personal information it holds is protected from misuse, interference, loss, unauthorised access, modification or disclosure from third parties. The Office of the Australian Information Commissioner’s has released a ‘Guide to Securing Personal Information’ on compliance. If the Government does allow for a statutory tort and proceedings are issued the question of what is reasonable will be the subject of scrutiny. The Guide is very general. Organisations should be looking to better practice than the minimum the Guide suggests.
The data hoarding identified by the FTC in the Blackbaud’s retaining data even after the purpose for collection had ended is a common enough problem in Australia, as the Medibank data breach illustrates. This also is a breach of APP 11.
Blackbaud’s delay in notifying customers of the breach and misleading customers by downplaying the severity of the breach was appalling practice and would probably be a breach of Australia’s Notifiable Data Breaches scheme. An entity must provide notification within 30 days if there is an an ‘eligible data breach’.
The story has been covered by cybersecurity with Blackbaud settles FTC data security probe into 2020 ransomware attack, and PR Newswire with Blackbaud Reaches Agreement with the Federal Trade Commission Related to 2020 Security Incident.