Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?
Blackbaud’s Pricey Privacy Fail: $6.75M Fine for 2020 Data Breach Cover-Up
Blackbaud’s luck ran out as it settled with California’s attorney general for $6.75 million over its 2020 ransomware attack. The cloud software biz faced criticism for poor cybersecurity practices and misleading the public about the breach’s impact. This comes after a previous $49.5 million settlement…
Hot Take:
Blackbaud just learned the hard way that you can’t just hit Control-Z on a ransomware attack and hope no one notices. Their cybersecurity practices were so shaky, they might as well have left the door open with a ‘Help Yourself’ sign. And seriously, if your excuse for not informing upper management is a lack of policies, you’re doing corporate governance wrong. It’s like forgetting to tell your boss the office is on fire because nobody wrote a memo about it.
Key Points:
- Blackbaud hit with a $6.75 million fine by California’s attorney general for poor cybersecurity and transparency.
- The 2020 ransomware attack exposed millions of individuals’ data, including PII, social security numbers, and bank details.
- The company misled the public about the scale of the breach for two months.
- Poor password practices and lack of MFA were highlighted as major security failings.
- Blackbaud settled with 49 other states and the District of Columbia for $49.5 million earlier in 2023.
Not-So-Cloud Nine
So, Blackbaud, the cloud software company that wanted to be the knight in shining armor for education, charity, and non-profit sectors, found itself in a bit of a pickle. Imagine their surprise when, after dodging a bullet from the FTC, California’s attorney general came knocking with a bill for $6.75 million. Rob Bonta, the AG, was not amused by Blackbaud’s cybersecurity shenanigans and their attempt to sweep a major data breach under the rug.
Password? What Password?
The FTC and Bonta’s complaints both read like a bad IT horror story. Blackbaud’s employees were reportedly using default, weak, or identical passwords, and MFA (Multi-Factor Authentication) was just a fancy term they had only heard about at tech conferences. Security events were more like security “suggestions,” and data protection was as solid as a wet paper bag. The cherry on top? The company didn’t even bother to monitor their security adequately.
Oops, Did We Forget to Mention Something?
When the ransomware attack happened in May 2020, Blackbaud initially played it cool, saying, “No biggie, no data stolen.” Fast forward two months, and they had to eat their words. Turns out, a substantial amount of personal data was lifted, including PII, social security numbers, unencrypted bank details, and even medical data. Their “Oh, by the way” moment came after they realized employees knew about the potential data compromise but didn’t inform upper management. Why? Because there was no policy that said they had to. Facepalm.
Timing is Everything
Adding fuel to the fire, the disclosure came right when Twitter (now X, but let’s not get into that) was dealing with its own massive security snafu. Coincidence? Blackbaud swears it was. But come on, the timing was about as convenient as a plot twist in a bad soap opera. Meanwhile, the attackers had a three-month VIP tour of Blackbaud’s systems before anyone noticed.
Who Got Burned?
The FTC claimed around 13,000 customers had their files compromised, affecting millions of individuals. High-profile academic institutions, universities, and even the UK’s National Trust were among the victims. Blackbaud’s settlement with California is just the latest chapter in this saga, following a $49.5 million settlement with 49 other states and the District of Columbia.
The Long Arm of the Law
California’s settlement not only demanded a hefty fine but also insisted that Blackbaud get its act together on basic infosec practices. This includes better data retention policies, improved password practices (finally!), and tighter controls around their infrastructure. Responding to the fine, Blackbaud said the terms were pretty much in line with what they’d agreed upon with the other states.
So, What Now?
Blackbaud must now pony up the cash and implement the necessary security measures to avoid any more costly mistakes. Let’s hope they’ve learned that in the world of cybersecurity, you can’t just Ctrl-Alt-Delete your problems away.
And there you have it. A cloud software company that wanted to be everyone’s hero but ended up being the cautionary tale of the year. Remember, folks, in cybersecurity, honesty and robust security practices aren’t just nice-to-haves; they’re essential. Otherwise, you might find yourself writing an enormous check while the world points and laughs.
If you’re still curious and want to dive deeper
Already a member? Log in here