While cloud software company, Blackbaud, has recently agreed to fork over more than $50 million to South Carolina and 49 other states, as well as settle with the FTC (Federal Trade Commission) for a data breach impacting millions, the Charleston-based company isn’t completely out of the woods.
One Mount Pleasant law firm believes that the defendant needs to do more in addressing its track record of cyber security snafus and initiated legal action earlier this month. Since that date, the Court has denied Blackbaud’s numerous attempts to dismiss the lawsuit, allowing claims for violations of state consumer protection laws and breach notification laws, which resulted in compromising the private information of millions of people, to proceed. During a March 8 class certification hearing, plaintiffs’ counsel shared how easily the data breach could have been prevented.
One item that has come to light, according to litigator Amy Keller of Dicello Levitt, is that KPMG — Blackbaud’s cybersecurity auditor — withdrew an important cybersecurity verification after learning about Blackbaud’s breach publicly, and still hasn’t told its customers. Keller called Blackbaud’s credibility into question.
“So, we’re to believe a company who has misrepresented the scope of the breach, right, originally the type of information that was disclosed in the breach,” she began. “The fact that they paid a hacker for confirmation that the data had been destroyed when they can’t confirm the data had been destroyed, when they haven’t disclosed that their SOC-2 certification was withdrawn 2018 to 2019, and they still haven’t told their customers. We’re supposed to believe them … don’t worry? There’s no risk of harm?”
“Blackbaud held itself out as ‘the world’s leading software cloud company powering social good’ while using outdated date security practices,” maintained Motley Rice attorney Marlon Kimpson, who’s serving as plaintiffs’ co-lead counsel.
SOC reports are created to ensure customers that organizations are following protocols to keep information safe. That Blackbaud’s was withdrawn from 2018 to 2019 was disclosed during the hearing. Gretchen Cappio, who also represents the plaintiffs, said: “Not only did KPMG withdraw the report, but it suspended work on its SOC 2 certification for 2020. And it also told Blackbaud to tell its customers that it withdrew the report. To this very day, Blackbaud has failed to do that.”
Per court documents, an unidentified attacker gained access to Blackbaud’s self-hosted legacy product databases on Feb. 7, 2020. The hacker reportedly remained undetected for more than three months until May 20 of the same year, when a Blackbaud engineer noticed a suspicious login into a backup server. Over that three-month period, the unnamed attacker had stolen data from tens of thousands of customers, which compromised the personal information of millions of individuals. Upon detecting the breach, according to an FTC report, Blackbaud agreed to pay a ransom of 24 bitcoin (or about $250,000) when the hacker threatened to expose the stolen data. The federal agency also noted that the software company never verified if the data in question was ever deleted.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of customers,” said FTC’s Bureau of Consumer Protection Director Samuel Levine in a Feb. 1 press release. “Companies have a responsibility to secure data they maintain and to delete the data they no longer need.”
Motley Rice identified the types of highly-sensitive data involved in the breach during the March 8 class certification hearing. Data exposed included people’s birthdays, social security numbers, medical insurance, medical histories, among other types of data, belonging to nonprofit donors, students, faculty members, church/temple congregants and hospital patients.
“The cyber criminals explored the same vulnerabilities that employees and outside security consultants had been warning Blackbaud’s leadership about for years,” mentioned Keller. “In fact, one key vulnerability that cyber criminals exploited is called sticky keys — and it has been widely known in the information security industry since 2013. And Blackbaud had been specifically warned about this vulnerability by a cyber security firm called Pretorian in 2016.” Keller continued: “The security gap was so embarrassing for Blackbaud internally, that its own employees lamented, ‘[We’re] owned by stick(y) keys? What year is it?’”
Plaintiffs’ counsel went on to communicate that Blackbaud fed their customer base with “false assurances” in terms of claiming that cyber criminals did not access credit card information, bank account information or social security numbers.
“In short, they were lied to. And Blackbaud never bothered to correct those lies.”
Even more damning is the alleged offender’s refusal to own up to its misdeeds by blaming customers for the breach. Specifically, Blackbaud contends that its customers— who are frequently non-profits, schools, churches and hospitals — didn’t place information into encrypted fields, when Blackbaud, itself, never encrypted its backup files.
In addition to never having apologized to the victims of the breach, stated Kimpson, Blackbaud has also fallen short in providing relief to the compromised individuals.
What the settlements haven’t accomplished, he went on to say, is revealing transparent information about Blackbaud’s security shortcomings prior to the 2020 breach and details on how it occurred. Further, Kimpson noted that prior actions on the part of US attorneys general and the FTC haven’t forced the publicly-traded software provider to dedicate sufficient resources to address the ramifications of Blackbaud’s admission of being “eight to ten years (behind) to achieve a healthy state” of cybersecurity.
On that note, during the class certification hearing, the Moultrie News was made privy to the ways in which Blackbaud failed to enact basic cybersecurity controls, such as:
• No multi-factor authentication
• Inadequate monitoring
• Inadequate patching to ensure that cybersecurity vulnerabilities were addressed
• Failing to disable “sticky keys” in Citrix, which Blackbaud knew was an issue years before the 2020 data breach
Motley Rice seeks to enable the class representatives to assert their rights and the rights of millions of victims of the Blackbaud data breach.
An email request for comment to the Blackbaud media department from this paper hasn’t yet been responded to as this article goes to press.
To learn more about Motley Rice’s history and casework, visit www.motleyrice.com.
