Blackbaud's FTC Deal: Delete Data, Amp Up Security
February 8, 2024
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s take a look at the Federal Trade Commission’s recent settlement with Blackbaud Inc, a service provider of software and services for more than 45,000 companies, nonprofits, foundations, educational institutions, healthcare organizations, and individual consumers throughout the U.S. and abroad.
This move comes in response to a significant data breach that exposed sensitive information belonging to millions of consumers. The FTC's enforcement action underscores a growing commitment to holding data custodians accountable for safeguarding the personal information entrusted to them by the public.
The Complaint:
According to the Complaint, service provider Blackbaud generates its revenue (approximately $1.1B in 2022) primarily from offering its clients software as a service, payment and transaction services, maintenance and support services, and professional services, including implementation, consulting, training and analytical services.
In early 2020, an attacker gained access to Blackbaud’s self-hosted legacy product databases by purportedly using a Blackbaud customer’s login and password to access the customer’s Blackbaud’s hosted database. Once logged in, the attacker was able to move across Blackbaud-hosted environments, even creating new administrator accounts and ultimately exfiltrating a treasure trove of personal data, including Social Security numbers, bank account details, medical information and more. The breach remained undetected for months.
The FTC's investigation into the breach unveiled a series of alleged deficiencies in Blackbaud's data security practices:
+ Insufficient Encryption Practices: Blackbaud failed to encrypt sensitive information, and allegedly allowed customers to store social security numbers and bank account information in unencrypted fields not specifically designated for those purposes. The FTC also alleged that Blackbaud did not encrypt its database backup files, despite the fact that those filed contained complete customer records from the products’ databases, even for former customers.
+ Faulty Data Retention: Blackbaud failed to implement appropriate data retention policies, and alleged did not enforce the policies that it had, resulting in sensitive information being retained far longer than necessary.
+ Insufficient Data Segmentation: Critical data was not adequately compartmentalized, enabling widespread access once the network was breached.
+ Poor Password Controls: The use of default, weak, or reused passwords was prevalent among employees, compromising account security.
+ Lackluster Multi-Factor Authentication: Ineffective implementation of multi-factor authentication mechanisms left user accounts vulnerable to unauthorized access.
+ Inadequate Network Monitoring: Blackbaud failed to monitor its networks for unauthorized access attempts allowed hackers to operate undetected.
+ Other Neglected Security Controls: The company's failure to regularly test, review, and update its security protocols contributed to the breach's severity, along with the alleged failure to implement appropriate firewall controls and timely patch outdate software and systems.
Accordingly, the FTC targeted Blackbaud’s allegedly “unfair information security practices,” “unfair data retention practices,” and “unfair inaccurate breach notification.” Additionally, the FTC faulted Blackbaud for its allegedly deceptive statement in its Privacy Policy regarding the security of personal information, and for alleged deceptions in its initial breach notification.
A link to the Complaint follows: https://www.ftc.gov/system/files/ftc_gov/pdf/Blackbaud-Complaint.pdf
The Settlement:
Under the terms of the settlement, Blackbaud is prohibited from making misrepresentations about privacy and security and also mandated to undertake sweeping reforms aimed at rectifying the identified security lapses. These include:
+ Mandatory Data Deletion: Blackbaud must systematically eliminate unnecessary personal data from its systems (and specifically delete customer backup files containing covered information).
+ Post Retention Schedule: Blackbaud must develop, adhere to and post a retention scheduled for customer backup files, describing: (1) the purpose or purposes for which data is maintained; (2) the specific business needs for retaining such data; and (3) the timeframe for deletion.
+ Enhanced Security Measures: Blackbaud is required to implement a comprehensive written information security program and related security safeguards, including security training and training in secure software development principles, as well as technical measures, like:
¨ Using strong, unique passwords;
¨ Preventing password reuse and password rotation by implementing the appropriate tools;
¨ Requiring MFA (and not telephone or SMS-based authentication);
¨ Restricting inbound connections to those originating from approved IP addresses, such as corporate VPNs;
¨ Requiring connections to be authenticated and encrypted;
¨ Periodically auditing account permissions;
¨ Monitoring and logging transfers or exfiltration of data and other anomalous activity;
¨ Implementing an intrusion prevention or detection system, data loss prevention tools, firewalls, and network segmentation;
¨ Maintaining an asset inventory (including databases);
¨ Encrypting sensitive information, and more.
For more on the settlement, you can click on the following to the Decision and Order:
https://www.ftc.gov/system/files/ftc_gov/pdf/Blackbaud-D%26O.pdf
Our thoughts:
1. We’re interested to see the FTC turn its attention to service providers, and specifically the issue of their security posture. For as long as we can remember, the FTC has trained its sites not on service providers, but on companies that rely on service providers to provide their products and services to consumers, and have a direct relationship with consumers. (For an example, remember SolarWinds!) For an explanation of why the security of service providers matters so much, you can additionally review our previous post, “It’s Turtles All the Way Down,” available at the following link:
https://www.hoschmorris.com/privacy-plus-news/its-turtles-and-aws-all-the-way-down
With the Blackbaud complaint and settlement, the FTC appears to have indicated its readiness to hold service providers to stringent data security standards.
2. Our only caveat here is that Blackbaud did offer some services directly to consumers, and the FTC appeared to focus on Blackbaud’s consumer-facing Privacy Policy, rather than any deceptive contractual statements about its security posture. Regardless, for businesses and organizations that handle sensitive personal information, this case highlights the necessity of adopting robust, proactive security measures to protect against cyber threats. This includes vetting your service providers and contracting appropriately.
3. We notice one other thing, which may be small…or not. As part of its “insufficient encryption practices,” the FTC criticizes Blackbaud for allegedly allowing customers to store social security numbers and bank account information in unencrypted fields not specifically designated for those purposes (emphasis ours).
Does this mean that now, not only will service providers be in the crosshairs, but they will also be responsible for ensuring that their customers use their services properly by implementing certain technical controls? (This would seem to be at odds with recent FTC cases, like Chegg, which is referenced in our post, linked above).
For more insights into this case and its implications for data security practices, visit the FTC's official announcement and case summary on their website, available at the following link:
https://www.ftc.gov/legal-library/browse/cases-proceedings/2023181-blackbaud-inc
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.