The cloud software company, Blackbaud, has come under fire from authorities for its major cybersecurity failings, stemming from a devastating ransomware attack in 2020. The attack exposed data from numerous educational institutions and non-profits that were clients of Blackbaud, including prominent UK universities and organisations like the National Trust and the Labour Party donors.

The ransomware attack, which began in February 2020 and was detected in May, had severe implications for the affected entities. Blackbaud, however, delayed notifying victims for almost two months and openly admitted to paying a ransom of 24 bitcoin to the attackers, without verifying the deletion of the compromised data.

The US Federal Trade Commission (FTC) has issued a complaint against Blackbaud, accusing the company of failing to implement adequate safeguards to protect customer data. The FTC highlighted Blackbaud's deceptive practices, alleging the company failed to follow recommended incident response best practices, including monitoring unauthorised access attempts, segmenting data, implementing multi-factor authentication, and regularly assessing security controls.

The FTC specifically criticised Blackbaud for retaining customer data beyond necessary periods and allowing its employees to use weak or default passwords. These lapses enabled the threat actor to move freely within Blackbaud's systems, exploiting vulnerabilities, and accessing unencrypted customer data.

In response to these security breaches, the FTC is proposing an order requiring Blackbaud to delete unnecessary data, refrain from misrepresenting its security practices, and establish a comprehensive cybersecurity program. The order would also mandate Blackbaud to notify the FTC promptly in case of future breaches.

This isn't the first time Blackbaud has faced consequences for its actions. The company has previously been penalised by the Securities and Exchange Commission and reached a settlement of $49.5 million with all 50 US states. Last year, it faced reprimands from the UK's Information Commissioner’s Office.

The FTC's complaint emphasises that companies like Blackbaud have a responsibility to secure and manage the data they hold. Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, stated, “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

As we are assimilating another incident of this margin, it draws on the importance of robust cybersecurity measures and prompt incident response in safeguarding sensitive data. The proposed FTC order aims to ensure accountability and adherence to best practices, urging Blackbaud to take decisive steps in enhancing its cybersecurity protocols.

This incident serves as a stark reminder to organisations and individuals alike about the critical need for gearing up their security practices in the face of growing cyber threats. As Blackbaud faces regulatory scrutiny, the broader implications underscore the ongoing challenges and responsibilities associated with protecting sensitive information in the digital age.