We here at MFT Nation have published a series of posts discussing certain data breach incidents. We do this as a service to our customers and readers to keep them informed and aware of “what not to do” in the world of managed file transfer and data security. This blog is the latest in this series and involves a company named Blackbaud, Inc. Ok, let’s get right into it.
1. Who is Blackbaud?
Blackbaud generates nearly$1 billion in revenue from software solutions and services. Blackbaud generates most of its U.S. revenue primarily from software solutions in cloud and hosted environments and stores a wide variety of consumers’ personal information on behalf of its customers.
2. The Data Breach
On February 7, 2020, an attacker gained access to Blackbaud’s self-hosted legacy product databases. The attacker remained undetected for over three months, until May 20, 2020, when a member of Blackbaud’s engineering team identified a suspicious login on a backup server. By the time Blackbaud discovered the breach, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which comprised the personal information of millions of consumers.
Once detected, the attacker threatened to expose the stolen consumer data unless Blackbaud paid a ransom. Blackbaud eventually agreed to pay 24 Bitcoin (valued at $235,000 at the time) in exchange for the attacker’s promise to delete the stolen data, but it has not been able to conclusively verify that the attacker deleted the stolen data. The $235,000 payment to the attacker was just a small fraction of the overall financial impact caused by the data breach.
3. The US Federal Trade Commission (FTC) Comes Calling
After investigating the incident, the FTC initiated an administrative complaint against Blackbaud alleging violations of the FTC Act.[1]
a. The FTC Identified Several Causes for the Data Breach and Resulting Damage
The attacker purportedly used a Blackbaud customer’s login and password to access the customer’s Blackbaud-hosted database. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts, subsequently creating new administrator accounts and ultimately exfiltrating massive amounts of consumer data belonging to Blackbaud’s customers.
Blackbaud’s deficient encryption practices magnified the severity of the data breach. For example, Blackbaud allowed customers to store social security numbers and bank account information in unencrypted fields not specifically designated for those purposes. It also allowed customers to upload attachments containing consumers’ personal information, which Blackbaud did not encrypt. Finally, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases, even for former customers.
Blackbaud’s failure to enforce appropriate data retention policies worsened the breach's severity, as it retained consumer data for unnecessary durations. Incredibly, it held onto data from former, unaffected, and potential customers for extended periods, thereby compounding the problem.
Blackbaud then shot itself in the foot, so to speak, by publicly downplaying the extent of the breach. Based on what the FTC deemed an “inadequate” initial investigation, Blackbaud falsely assured customers that no personal data was compromised. It took weeks for Blackbaud to come around and finally acknowledge the breach, but the delay left consumers vulnerable to identity theft without the chance to take necessary precautions.
b. The FTC Identified Flawed Information Security Practices
The FTC alleged that Blackbaud failed to:
i. Implement appropriate password controls. As a result of this failure, employees often used default, weak, or identical passwords.
ii. Apply adequate multifactor authentication for both employees and customers to protect sensitive consumer information. For example, Blackbaud failed to comply with industry standards and internal policies requiring multifactor authentication for remote access to sensitive environments.
iii. Prevent data theft by monitoring for unauthorized attempts to transfer or exfiltrate consumers’ personal information outside the company’s networks; continuously log and monitor its systems and assets to identify four data security events; and perform regular assessments as to the effectiveness of protection measures.
iv. Implement and enforce appropriate data retention schedules and deletion practices for the vast amounts of consumers’ personal information stored on its network.
v. Patch outdated software and systems in a timely manner, leaving Blackbaud's networks susceptible to attacks.
vi. Test, audit, assess, or review its products’ or applications’ security features; and conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.
vii. Implement appropriate firewall controls. This failure resulted in an attacker making unauthorized connections from outside of Blackbaud's networks.
viii. Implement appropriate network segmentation to prevent attackers from moving freely across Blackbaud’s networks and databases.
c. The Proposed Settlement
Within the last two weeks, Blackbaud agreed to terms of a settlement which would require it to delete consumer information not needed for its services, bolster its cybersecurity measures, and avoid misrepresenting its security practices. It appears that no fine was imposed, perhaps because Blackbaud paid out millions of dollars in other proceedings, as explained below.
4. Blackbaud is Paying Dearly in Related Civil Litigation
Not surprisingly, Blackbaud’s conduct both before and after detection of the data breach spawned consumer litigation, as well as a lawsuit brought by the 50 state attorneys general alleging that the attacks exposed donor information of over 13,000 nonprofit groups and organizations. The consumer litigation is ongoing, but Blackbaud has agreed to pay nearly $50 million to settle allegations from the 50 state attorneys general.
5. The SEC Also Dropped the Hammer
The Securities and Exchange Commission also fined the company $3 million for failing to disclose information about the breach in a quarterly report. According to the SEC, Blackbaud’s information technology staff, despite knowing the true severity of the breach for several days, failed to properly communicate new details to upper management because the company lacked effective disclosure methods.
6. Lessons Learned
The Blackbaud incident highlights several critical lessons relating to managed file transfer and data security. It underscores the importance of implementing robust information security practices, conducting regular assessments, and promptly communicating breaches to affected parties.
We urge all our customers and readers to take proactive steps to safeguard their data and mitigate potential risks. As part of our commitment to helping organizations enhance their security posture, we offer a complementary Managed File Transfer evaluation. By identifying vulnerabilities and inefficiencies in existing systems, this evaluation can help prevent the problems experienced by Blackbaud and ensure the protection of sensitive data.
Read more about the benefits of a complementary Managed File Transfer evaluation and the remarkable improvements achieved here.
Contact us at info@btrade.com if you want to learn more about this offer.
__________________________________
[1] The information contained in this blog relating to the data breach incident is sourced from documents filed in the FTC administrative proceeding.