Incident Details
Blackbaud Inc., a company based in South Carolina, has agreed to erase unnecessary personal data under a settlement with the Federal Trade Commission. The agreement comes after allegations that the company's weak security measures enabled a cybercriminal to infiltrate its network and obtain sensitive information, such as Social Security and bank account details, of numerous individuals. The FTC accuses Blackbaud of lacking adequate measures to safeguard the extensive personal data it handles while offering data services and software solutions to various entities, including businesses, nonprofits, and healthcare organizations.
Incident
How Did the Breach Happen?
In early 2020, a hacker managed to breach a customer's database hosted by Blackbaud. By exploiting known vulnerabilities and local administrator accounts, the hacker easily navigated through various Blackbaud-hosted systems, eventually gaining unauthorized access to substantial volumes of unencrypted sensitive consumer information.
What Data has been Compromised?
A security breach led to the exposure of private information belonging to numerous consumers, such as Social Security numbers and bank account details.
Why Did the company's Security Measures Fail?
Blackbaud's security procedures proved ineffective because they lacked the necessary safeguards. The company did not properly oversee hacker attempts to infiltrate its systems, partition data to thwart unauthorized entry, dispose of unnecessary data, establish multifactor authentication, or conduct sufficient testing and evaluation of its security protocols.
What Immediate Impact Did the Breach Have on the company?
After discovering the breach, Blackbaud decided to give 24 Bitcoin as a ransom, equating to approximately $250,000, to prevent the hacker from revealing the compromised information. Despite this, the company did not confirm whether the hacker truly removed the stolen data. Moreover, Blackbaud took almost two months to inform its clients about the breach and provided inaccurate information regarding the extent of the data that was compromised. This delay negatively impacted consumers who were not able to safeguard themselves against potential identity theft and other risks linked to the breach.
How could this have been prevented?
Effective security measures, including monitoring and addressing possible breaches, isolating data, eliminating unnecessary data, using robust authentication techniques, and routinely evaluating security measures, could have thwarted this incident.
What have we learned from this data breach?
The recent security incident underscores the significance of establishing strong security practices and promptly informing individuals impacted by breaches. Moreover, it underscores the importance for organizations to consistently review and enhance their security procedures to safeguard personal data.
Summary of Coverage
A lack of strong security measures by Blackbaud enabled a cybercriminal to infiltrate the company's system and obtain the private information of numerous customers. This breach led to the exposure of significant details such as Social Security and banking details. The delayed reaction from the company and the absence of efficient security protocols worsened the impact on those affected. As part of the settlement, Blackbaud must eliminate redundant data, enhance its protective measures, and establish a thorough data security strategy.