State Is Latest Regulator to Take Action Against Fundraising Software Firm

Fundraising software vendor Blackbaud will pay $6.75 million and improve its data security practices under a settlement with California's attorney general. The agreement is the latest settlement between the South Carolina firm and state and federal regulators in the wake of a 2020 ransomware attack that affected 13,000 clients and compromised sensitive data of millions of individuals.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Under its agreement with the California attorney general, which is subject to court approval, Blackbaud must pay financial penalties and comply with requirements to strengthen its data security and breach notification practices.

In July 2020, Blackbaud disclosed that a hacker breached the company's IT network in May 2020 but did not access consumers' personal data, the state attorney general said.

"However, soon after, the company realized that the hacker did access personal data, including Social Security and bank account numbers. Despite this discovery, the company failed to provide timely and accurate information to those impacted by the breach," the California Office of the Attorney General said in a statement.

"These actions violated the Reasonable Data Security Law, Unfair Competition Law and the False Advertising Law related to data security," the statement says.

Last fall, Blackbaud agreed to pay $49.5 million and improve its data security practices to settle an investigation into the incident by the attorneys general of 49 states, plus the District of Columbia, following the hack (see: Blackbaud Pays $49.5M to Settle With State AGs in Breach).

But it isn't just state regulators who have slapped Blackbaud with fines and corrective actions. Federal regulators - including the Federal Trade Commission and the U.S. Securities and Exchange Commission - have issued sanctions against the firm.

In February, the FTC ordered Blackbaud to delete personal data that is no longer needed and to implement a long list of security improvements in the wake of the hack. That order was finalized by the commission in May.

The FTC in its case against the firm cited Blackbaud for a number of FTC Act violations, including deceptive breach notification statements and deceptive statements about its information security practices (see: FTC Blasts Blackbaud's 'Shoddy' Practices in Ransomware Hack).

Last year, the SEC slapped Blackbaud with a $3 million fine over the company's handling of the breach, including the firm's public disclosures (see: Blackbaud to Pay $3 Million Over Erroneous Breach Details).

But U.S. federal and state regulators aren't the only government entities that have taken actions against Blackbaud. Britain's Information Commissioner's Office reprimanded the company in September 2021 without levying a fine. Reprimands typically detail the ways in which the privacy watchdog thinks an organization has violated the U.K.'s General Data Protection Regulation and make recommendations for addressing these shortcomings.

Besides paying the multimillion-dollar financial penalty, under its settlement with the California attorney general, Blackbaud is required to comply with "robust data security improvements to prevent future breaches," including:

"The settlement will ensure that Blackbaud prioritizes safeguarding consumers' personal information and enhances security measures to prevent future incidents," said California Attorney General Rob Bonta in a statement.

"Not only did Blackbaud fail to protect consumers' personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable."

On May 14, 2020, Blackbaud's IT personnel detected unauthorized access the company's systems, the California attorney general said in court complaint detailing the hack.

"The threat actor who gained unauthorized access to Blackbaud's systems threatened to publish several hundred terabytes of Blackbaud's customers' sensitive data if a ransom was not paid," the document says. "Blackbaud thereafter paid the threat actor a ransom in exchange for the threat actor's promise to destroy this data."

The SEC in its complaint said that Blackbaud agreed to pay the cybercriminals 24 bitcoin - valued at $235,000 at the time.

Following Blackbaud's investigation into the incident, the company determined the threat actor had accessed and exfiltrated personal data belonging to over 13,000 Blackbaud customers, including clients in California. Consumer data accessed and exfiltrated included Social Security numbers, bank account information and medical information.

The threat actor gained entry into Blackbaud's systems by using a Blackbaud customer's compromised login and password to access the customer's Blackbaud virtual desktop environment, the court documents say.

"Blackbaud did not implement appropriate password controls, such as mandating all customers accessing sensitive environments rotate passwords and avoid default, weak or identical passwords. Blackbaud also failed to mandate authentication protocols, like multifactor authentication, as a separate layer of security to protect its system from unauthorized entry."

Prior to the incident, Blackbaud lacked other critical security controls and policies, the California attorney general said. It failed to implement appropriate network segmentation; stored the personal information of consumers, including Californians, in unencrypted fields and for many years longer than necessary; and failed to implement appropriate threat and intrusion detection processes.

Neither Blackbaud nor the California attorney general's office immediately responded to Information Security Media Group's requests for comment and additional details about the settlement.