Skórzewiak - stock.adobe.com
Blackbaud blasted for failing to prevent customer breaches
A supply chain attack at software supplier Blackbaud in 2020 saw data on multiple UK organisations compromised. The US authorities are now taking steps to ensure it can’t happen again
Three and a half years on from a devastating 2020 ransomware attack that led to data breaches at thousands of downstream customers of cloud software company Blackbaud, the US-based supplier has been blasted by authorities over major cyber security failings, and ordered to take remedial steps.
Blackbaud specialises in financial, fundraising and admin software pitched at educational institutions and non-profits. The attack on its systems in 2020 is known to have impacted the data of multiple UK universities, including Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Reading, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London.
Non-profit victims include Action on Addiction, Breast Cancer Now, the Choir with No Name, Maccabi GB, the National Trust, Sue Ryder, the Urology Foundation and the Wallich. Data on Labour Party donors was also taken.
At every step in its response, it has since emerged, Blackbaud failed to follow recognised and recommended incident response best practice.
The attack began in February 2020 and was discovered in May, but Blackbaud waited almost two months to inform victims. It then openly disclosed it had paid a ransom of 24 bitcoin in exchange for a promise that the ransomware gang would delete the data, but never verified that this was done.
In a complaint published on 1 February, the US Federal Trade Commission (FTC) said that Blackbaud failed to implement appropriate safeguards to protect and secure its customers’ data.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
Read more about the Blackbaud incident
- 24 July 2020: Data on students at the University of York was stolen in a ransomware attack on a supplier two months ago, and the response of both parties raises serious questions.
- 28 July 2020: Embattled cloud services provider Blackbaud now has big questions to answer over its handling of data belonging to UK universities and charities.
- 30 July 2020: More than 120 education and third-sector organisations may have had their data compromised through the breach of Blackbaud’s cloud platform.
- 31 July 2020: Widening Blackbaud data breach ensnares the Labour Party as the cloud software firm continues to duck questions about its behaviour.
- 20 October 2020: Software firm Blackbaud paid off a ransomware gang, believed its hackers when they said they had destroyed the data, and has now discovered the cyber criminals accessed even more sensitive information than it thought.
In its complaint, the FTC said Blackbaud deceived its customers by failing to implement physical, electronic and procedural safeguards to protect their data despite having promised to do so.
Among other things, it failed to monitor repeated attempts to break into its systems, segment data to prevent them from accessing it, ensure that unneeded data was deleted, implement multi-factor authentication (MFA), and test, review and assess its security controls. It also allowed its own employees to use default, weak or identical passwords across their accounts.
As a result of these issues, the threat actor behind the intrusion was able to move freely around multiple environments at will, exploiting existing vulnerabilities and admin accounts, and accessing and removing unencrypted data on the firm’s customers.
Additionally, the FTC said, Blackbaud was retaining data for far longer than was necessary for the purpose for which it was maintained – as such, some of the data related to organisations that were no longer customers.
The FTC also cited the two-month delay in notification, even though Blackbaud was well aware its attacker had obtained sensitive data including financial information and US Social Security numbers. This delay, it said, harmed ordinary people who were unable to do anything to protect themselves against identity theft or other harms.
Going forward, the FTC is proposing an order requiring Blackbaud to delete data it no longer needs to provide products or services to customers, and prohibiting it from misrepresenting its security practices. The FTC’s order will also demand the company develops a “comprehensive” cyber security programme to address the issues that were found, and that it be made to notify the FTC if it experiences a notifiable breach in future.
Blackbaud has previously been penalised by the Securities and Exchange Commission, the US financial regulator, over its misleading response to the cyber attack. Additionally, last year, it reached an agreement to pay $49.5m, split across all 50 US states, to resolve their investigations that it violated state laws and the federal Health Insurance Portability and Accountability Act. It was also reprimanded by the Information Commissioner’s Office in the UK.