Three and a half years on from a devastating 2020 ransomware attack that led to data breaches at thousands of downstream customers of cloud software company Blackbaud, the US-based supplier has been blasted by authorities over major cyber security failings, and ordered to take remedial steps.
Blackbaud specialises in financial, fundraising and admin software pitched at educational institutions and non-profits. The attack on its systems in 2020 is known to have impacted the data of multiple UK universities, including Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London.
Non-profit victims include Action on Addiction, Breast Cancer Now, the Choir with No Name, Maccabi GB, the National Trust, Sue Ryder, the Urology Foundation and the Wallich. Data on Labour Party donors was also taken.
At every step in its response, it has since emerged, Blackbaud failed to follow recognised and recommended incident response best practice.
The attack began in February 2020 and was discovered in May, but Blackbaud waited almost two months to inform victims. It then openly disclosed it had paid a ransom of 24 bitcoin in exchange for a promise that the ransomware gang would delete the data, but never verified that this was done.
In a complaint published on 1 February, the US Federal Trade Commission (FTC) said that Blackbaud failed to implement appropriate safeguards to protect and secure its customers’ data.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
In its complaint, the FTC said Blackbaud deceived its customers by failing to implement physical, electronic and procedural safeguards to protect their data despite having promised to do so.
Among other things, it failed to monitor repeated attempts to break into its systems, segment data to prevent them from accessing it, ensure that unneeded data was deleted, implement multi-factor authentication (MFA), and test, review and assess its security controls. It also allowed its own employees to use default, weak or identical passwords across their accounts.
As a result of these issues, the threat actor behind the intrusion was able to move freely around multiple environments at will, exploiting existing vulnerabilities and admin accounts, accessing and removing unencrypted data on the firm’s customers.
Additionally, the FTC said, Blackbaud was retaining data for far longer than was necessary for the purpose for which it was maintained – as such, some of the data related to organisations that were no longer customers.
The FTC also cited the two-month delay in notification, even though Blackbaud was well aware its attacker had obtained sensitive data including financial information, and US Social Security numbers. This delay, it said, harmed ordinary people who were unable to do anything to protect themselves against identity theft or other harms.
Going forward, the FTC is proposing an order requiring Blackbaud to delete data it no longer needs to provide products or services to customers, and prohibiting it from misrepresenting its security practices. The FTC’s order will also demand the company develops a “comprehensive” cyber security programme to address the issues that were found, and that it be made to notify the FTC if it experiences a notifiable breach in future.
Blackbaud has previously been penalised by the Securities and Exchange Commission, the US financial regulator, over its misleading response to the cyber attack. Additionally, last year, it reached an agreement to pay $49.5m, split across all 50 US states, to resolve their investigations that it violated state laws and the federal Health Insurance Portability and Accountability Act. It was also reprimanded by the Information Commissioner’s Office in the UK.