Blackbaud must pay $6.75 million, improve security after lying about scope of 2020 hack
The software company Blackbaud will pay $6.75 million and be forced to improve its data security and breach notification practices in a settlement following a May 2020 hack, California Attorney General Rob Bonta announced Friday.
Blackbaud sells data management software to nonprofits, allowing them to store a significant amount of individuals’ personal information. The company allegedly used exceptionally poor data security practices and initially misled consumers and regulators about the hack’s impact.
The company announced the breach in July 2020, saying the hacker did not access consumers’ personal data.
However, shortly after that announcement Blackbaud became aware that the hacker did in fact obtain personal data, including Social Security, bank account numbers and medical information. It continued to publicly misrepresent what happened for nearly two months, a complaint filed by Bonta’s office said.
“The company failed to provide timely and accurate information to those impacted by the breach,” a press release from Bonta’s office said, alleging that the company’s behavior flouted consumer protection and privacy laws.
“By early August 2020, Blackbaud knew consumer bank account information and Social Security numbers were exfiltrated by the threat actor,” the complaint said.
“Yet, Blackbaud continued to make representations that the threat actor did not access bank account information or Social Security numbers.”
As of the end of 2019, the company claimed to serve some 45,000 organizations across more than 100 countries, according to the complaint.
Before the breach, Blackbaud told customers it adhered to “industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.”
In reality, the company did not use password controls requiring customers accessing sensitive environments to change passwords and avoid “default, weak, or identical passwords,” the complaint said. The company also did not require multifactor authentication.
As a result, the complaint said, the hacker exfiltrated data belonging to more than 13,000 of its customer organizations and an untold number of people.
Blackbaud said in a statement that its agreement with California resolves the final state investigation probing the hack.
“The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023,” the statement said.
Blackbaud’s statement did not address the substance of the allegations.
The lax security measures allowed the hacker to enter Blackbaud’s network by using a single compromised login and password, the complaint said.
Because the company allegedly did not appropriately segment networks, the hacker was able to “escalate his access to that of an administrator and then move across multiple Blackbaud-hosted environments.”
The company also allowed customers to store data in unencrypted fields, and did not adequately hunt for threats and intrusions, which allegedly allowed the hacker to remain in its system undetected for more than three months.
It stored customer data “for years longer than necessary.”
“Had Blackbaud implemented data minimization principles or appropriate retention
policies, it could have mitigated the threat actor’s exfiltration of data,” the complaint added.
FTC and California orders
In May, the Federal Trade Commission (FTC) finalized its own settlement with Blackbaud relating to the same incident.
The FTC order requires Blackbaud to delete data that it “no longer needs to provide its products or services. It also bars the company from “misrepresenting its data security and data retention policies,” according to an FTC statement.
Additionally, the agency’s order requires Blackbaud to create a “comprehensive information security program,” establish a schedule showing how frequently it deletes data and alert the FTC to future data breaches.
California’s order requires the company to design a program to ensure it stores database backup files containing personal information to “the minimum extent necessary” as well as establish a process for securely erasing the files.
Blackbaud also must put standards in place requiring password rotation or authentication policies and establish network segmentation requirements and network intrusion detection processes.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.