A provide chain assault at tool seller Blackbaud in 2020 saw data on extra than one UK organisations compromised. The US authorities are now taking steps to make certain it’ll’t occur but again
Printed: 05 Feb 2024 15:forty five
Three and a half years on from a devastating 2020 ransomware assault that resulted in data breaches at hundreds of downstream possibilities of cloud tool firm Blackbaud, the US-primarily based seller has been blasted by authorities over principal cyber security failings, and ordered to bewitch remedial steps.
Blackbaud specialises in financial, fundraising and admin tool pitched at tutorial establishments and non-profits. The assault on its techniques in 2020 is recognized to be pleased impacted the information of additional than one UK universities, including Aberdeen, Birmingham, Bristol, Brunel, Durham, East Anglia, Exeter, Glasgow, Heriot-Watt, Kent, Leeds, Liverpool, London, Loughborough, Manchester, Northampton, Oxford Brookes, Studying, Robert Gordon, Staffordshire, Strathclyde, Sussex and West London.
Non-profit victims encompass Motion on Addiction, Breast Cancer Now, the Choir with No Identify, Maccabi GB, the National Belief, Sue Ryder, the Urology Foundation and the Wallich. Records on Labour Birthday celebration donors was additionally taken.
At every step in its response, it has since emerged, Blackbaud failed to follow recognised and instructed incident response easiest observe.
The assault began in February 2020 and was prove in Can even just, however Blackbaud waited practically two months to uncover victims. It then openly disclosed it had paid a ransom of 24 bitcoin in commerce for a promise that the ransomware gang would delete the information, however by no method verified that this was finished.
In a complaint published on 1 February, the US Federal Replace Commission (FTC) acknowledged that Blackbaud failed to implement appropriate safeguards to guard and stable its possibilities’ data.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to assemble gentle private data about hundreds and hundreds of possibilities,” acknowledged Samuel Levine, director of the FTC’s Bureau of Shopper Security. “Companies be pleased a accountability to stable data they care for and to delete data they now now now not want.”
In its complaint, the FTC acknowledged Blackbaud deceived its possibilities by failing to implement physical, digital and procedural safeguards to guard their data in spite of having promised to attain so.
Amongst other issues, it failed to show screen repeated attempts to interrupt into its techniques, section data to forestall them from gaining access to it, make certain that unneeded data was deleted, implement multi-dispute authentication (MFA), and take a look at, review and assess its security controls. It additionally allowed its be pleased employees to make utilize of default, worn or an identical passwords across their accounts.
Attributable to those points, the menace actor within the attend of the intrusion was able to switch freely spherical extra than one environments at will, exploiting current vulnerabilities and admin accounts, and gaining access to and casting off unencrypted data on the company’s possibilities.
Additionally, the FTC acknowledged, Blackbaud was preserving data for quite a bit longer than was most critical for the motive for which it was maintained – as such, about a of the information related to organisations that were now now now not possibilities.
The FTC additionally cited the two-month prolong in notification, although Blackbaud was effectively acutely aware its attacker had obtained gentle data including financial data and US Social Security numbers. This prolong, it acknowledged, harmed frequent individuals that were unable to attain something else to guard themselves against identification theft or other harms.
Going ahead, the FTC is proposing an uncover requiring Blackbaud to delete data it now now now not wishes to present products or products and companies to possibilities, and prohibiting it from misrepresenting its security practices. The FTC’s uncover will additionally query the firm develops a “complete” cyber security programme to take care of the points that were stumbled on, and that or now now not it’s made to sigh the FTC if it experiences a notifiable breach in future.
Blackbaud has beforehand been penalised by the Securities and Alternate Commission, the US financial regulator, over its misleading response to the cyber assault. Additionally, closing year, it reached an agreement to pay $49.5m, prick up across all 50 US states, to resolve their investigations that it violated converse legal pointers and the federal Health Insurance coverage Portability and Accountability Act. It was additionally reprimanded by the Files Commissioner’s Office within the UK.
Read extra on Records breach incident management and recovery
U.S. antitrust case against Amazon now now not a definite bewitch
By: Makenzie Holland
ITAM impact on cyber risk turning into a dispute in credit scores
By: Alex Scroxton
FTC pushes antitrust enforcement vitality heading into 2023
By: Makenzie Holland
UK’s Labour Birthday celebration hit by third-occasion data breach
By: Alex Scroxton