Months after escaping without a fine from the US Federal Trade Commission (FTC), the luck of cloud software biz Blackbaud ran out when it came to reaching a settlement with California's attorney general.

The developer of apps for education, charity, and non-profit organizations will have to pay $6.75 million after Rob Bonta chastised its cybersecurity practices and lack of transparency following its 2020 ransomware attack.

"Not only did Blackbaud fail to protect consumers' personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable," said attorney general Bonta.

"Today's settlement will ensure that Blackbaud prioritizes safeguarding consumers' personal information and enhances security measures to prevent future incidents."

The FTC's complaint [PDF] against Blackbaud alleged a litany of security failings, many of which were echoed by Bonta.

Password controls, or lack thereof, were top of the list. Blackbaud's staff would allegedly routinely use default, weak, or identical passwords. And you can forget about MFA too, at least according to the complaint. There was none of that involved if anyone wanted to remote into sensitive environments.

The complaint went on to say security events weren't monitored well enough, data protection and retention practices weren't up to scratch, patching was poor, product security wasn't adequately audited, and more.

Bonta said it was these alleged failings that led to the 2020 breach, but the real kicker was that the company misled the public for two months about the scale of the incident.

The public admission came in July about the attack that occurred in May. Blackbaud said at the time it didn't think any data was stolen. Case closed, or perhaps not.

It later discovered that, actually, a really quite large amount was indeed lifted including the usual personally identifiable information (PII) and in some other cases social security numbers, unencrypted bank details, and medical data was stolen.

An updated Form 8-K was then issued saying the criminals behind it "may have accessed some" data.

Regarding the reason behind not disclosing the full picture in the first instance, Blackbaud explained that employees became aware of potential data compromise but didn't tell upper management because the company "did not have policies or procedures in place designed to ensure they do so," court documents read.

The disclosure drew further criticism because it also revealed that the attackers lurked inside Blackbaud's systems undetected for three months, and its publication just so happened to coincide with a whopper of a security snafu over at what was then called Twitter. Blackbaud insisted it was just a coincidence, though.

The FTC's complaint alleged that files belonging to around 13,000 customers were taken, which ultimately meant millions of individuals were affected. High-profile academic institutions and universities comprised many of the most notable victims across the world, while non-profits such as the UK's National Trust also featured alongside various charities and other international organizations.

Blackbaud's settlement with Bonta is the final one in the saga, after the firm previously settled with the 49 other state AGs and the District of Columbia in October 2023 for a sum of $49.5 million.

In addition to the $6.75 million fine, Bonta's settlement terms also included similar provisions made in earlier settlements, mainly around doing the basics of infosec. To avoid any additional punishment, Blackbaud will have to establish a minimum retention policy for data, greatly improved password practices, and tighter controls around infrastructure - namely the use of network segmentation and monitoring.

Responding to Bonta's fine, Blackbaud told The Register: "Blackbaud has reached a settlement with the attorney general of California, fully resolving the last remaining US state attorney general investigation into the company's 2020 security incident.

"The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state attorneys general and the District of Columbia on October 5, 2023, as previously disclosed."

The bumper fine, equivalent to roughly $1 million per state, followed an earlier $3 million payment made to the SEC in exchange for not admitting or denying the financial regulator's findings.

Over in the UK, Blackbaud received what we called an astonishingly mild sanction, equivalent to a little slap on the wrist - one done in private and only revealed thanks to a request made under the Freedom of Information Act. ®

https://www.theregister.com//2024/06/17/blackbaud_breach_california_settlement/