HealthcareInfoSecurity.com reported that “The Federal Trade Commission is the latest regulatory agency taking action against fundraising and customer relationship management software provider Blackbaud in the aftermath of a 2020 ransomware incident that compromised the data of tens of thousands of clients and millions of consumers.” The February 1, 2024 report entitled ” FTC Blasts Blackbaud’s ‘Shoddy’ Practices in Ransomware Hack” (http://tinyurl.com/4d3vps7f) included these comments from Samuel Levine (director of the FTC’s Bureau of Consumer Protection):

Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,…

Companies have a responsibility to secure data they maintain and to delete data they no longer need.

And these comments:

The FTC’s complaint against the company says that on Feb. 7, 2020, an attacker gained access to Blackbaud’s self-hosted legacy product databases and remained undetected for over three months, until May 20, 2020, when a member of the firm’s engineering team identified a suspicious login on a backup server.

By using a Blackbaud customer’s login and password to access the customer’s Blackbaud-hosted database, the attacker was able to freely move across multiple Blackbaud-hosted environments by compromising existing vulnerabilities and local administrator accounts, subsequently creating new administrator accounts, the FTC said.

The hacker exfiltrated “massive amounts” of consumer data belonging to Blackbaud’s customers, including millions of consumers’ unencrypted personal information, such as full name, age, birthdate, Social Security number, home address, phone number, email address and financial information – including bank account information, estimated wealth and identified assets, the FTC said.

Medical information was also compromised in the hack, including patient and medical record identifiers, treating physician names, health insurance information, medical visit dates, reasons for seeking medical treatment, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment information – including salary, educational information and account credentials, the FTC said.

Interesting story!

First published https://www.vogelitlaw.com/blog/ftc-not-happy-about-blackbauds-shoddy-practices-in-ransomware-hack