The Federal Trade Commission (FTC) has ordered South Carolina-based Blackbaud to implement a raft of security measures and enforce its data retention policies to ensure that customer data is not retained any longer than it is needed. Blackbaud is a customer relationship management software provider, whose software is used by 35,000 fundraising entities, including many nonprofit healthcare organizations to increase philanthropic revenue. In early 2020, a hacker used a Blackbaud customer’s login name and password to access the customer’s Blackbaud-hosted database. Once access was gained, the hacker was able to move laterally by exploiting security vulnerabilities to access multiple Blackbaud-hosted environments and remained undetected in Blackbaud’s environment for 3 months.
Over those 3 months, the hacker exfiltrated a vast amount of unencrypted data from tens of thousands of customers, which included the personal and protected health information of millions of individuals. The stolen data included names, contact information, medical information, health insurance information, Social Security numbers, and bank account details. The hacker threatened to publish the stolen data and Blackbaud negotiated a 24 Bitcoin ($235,000) payment for the data to be deleted. Blackbaud was, however, unable to conclusively verify that the stolen data had been deleted.
A Catalog of Security Failures
According to the FTC complaint, the acts and practices of Blackbaud constituted unfair and/or deceptive practices in violation of Section 5(a) of the Federal Trade Commission (FTC) Act. The FTC alleged that Blackbaud had failed to implement reasonable and appropriate security practices to protect the sensitive personal information of consumers. The lack of safeguards allowed an unauthorized individual to gain access to customer data and deficient security practices and the failure to enforce its data retention policies magnified the severity of the data breach.
The FTC alleged that Blackbaud allowed customers to store highly sensitive information such as Social Security numbers and bank account information in unencrypted fields and customers could upload attachments containing sensitive personal information which were not encrypted. Further, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases.
While Blackbaud had data retention policies, these were not enforced, which meant the company retained the data of its customers for years longer than was necessary, even the data of former customers and prospective customers. The FTC also slammed Blackbaud for waiting for 2 months to notify customers about the data breach and misrepresenting the scope and severity of the data breach in those notifications due to “an exceedingly inadequate investigation.”
Blackbaud explained in the July 16, 2023, notification letters that financial information and Social Security numbers were not compromised and said no action was required because no personal information was accessed. Blackbaud’s post-breach investigation determined on July 31, 2020, that the hacker had exfiltrated customer data, but then waited until October 2020 to disclose that information to its customers.
The affected consumers were denied the opportunity to take steps to protect against identity theft and fraud, and since the breach, Blackbaud has received multiple complaints from consumers about identity theft and fraud using their personal information, indicating the hacker did not delete the data. Blackbaud did agree to pay for credit monitoring services, but those services were offered months after the breach and only to a limited subset of the affected customers.
Blackbaud made explicit representations about its information security practices which led customers to believe that personal information would be protected; however, the FTC alleged that there were insufficient password controls, a lack of multifactor authentication, a failure to monitor logs for signs of unauthorized system activity, a failure to enforce its data retention policies, a failure to patch outdated software and systems promptly, a failure to implement appropriate firewall controls, a failure to implement appropriate network segmentation, and a failure to test, audit, assess, or review its products’ or applications’ security features. Blackbaud also failed to conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.
FTC Orders Major Security Updates and Data Deletion
The FTC alleged unfair information security practices, unfair data retention practices, unfair inaccurate breach notifications, deceptive initial breach notifications, and deceptive security statements. The FTC’s proposed order requires Blackbaud to implement and maintain a comprehensive information security program that complies with industry best practices. The order includes 14 security requirements and Blackbaud is also required to delete all customer data that is not required and undergo independent security assessments.
“Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security,” said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement about the consent order. “The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.”
Blackbaud previously settled a multistate action with the attorneys general in 48 states and the District of Columbia and paid a $49.5 million penalty, and was ordered to pay a $3 million civil monetary penalty by the U.S. Securities and Exchange Commission for omitting important facts about the data breach in its August 2020 quarterly report. Blackbaud is also being sued by consumers whose personal information was stolen.
The post FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies appeared first on HIPAA Journal.