Cybersecurity and Donor Management Systems
Two of the best reasons to care about cybersecurity are to be a good steward of the money you’ve been given by your donors and to attract new donors.
Your donors want to see you keep control of the money they’ve given you and put it to work making the world a better place. Unfortunately, donor management platforms are juicy targets that often remain low-hanging fruit for thieves.
In July 2020, Blackbaud, who offers software and other products for “social good organizations” including nonprofits, foundations, and educational institutions was breached.
Attackers stole unencrypted bank account numbers, social security numbers, and login credentials for 13,000 of Blackbaud’s customers and those customer’s own clients. They also stole a variety of data such as demographic information, driver’s license numbers, financial records, employment data, donation history, wealth status, and even protected health information. An identity theft gold mine.
Attackers held the information at ransom and threatened to release the data if not paid. Blackbaud paid but didn’t verify the attackers actually deleted the information. Blackbaud unfortunately did not handle breach response and post-breach fallout very well.
Ahead of the breach, the FTC alleges that Blackbaud “failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls" and "allowed employees to use default, weak, or identical passwords for their accounts."
During the breach, technology and consumer relations discovered that bank numbers and social security numbers had been stolen but didn’t escalate the issue to management because there was no reporting procedure.
Then, when filing its 8-K in September 2020, Blackbaud left out crucial details of the scope of the breach and downplayed how sensitive the stolen information was and “characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.”
43 States’ Attorneys General sued Blackbaud post-breach and won a settlement of $49.5 million. The SEC then sued them again for failing to disclose the full impact of the breach and for falsifying its quarterly report. They are dealing with 23 consumer class action lawsuits.
Blackbaud will be dealing with the chronic costs of the 2020 breach for years to come, and not just in court fees and settlements. They’re also now required to implement the security engineering they should have been doing ahead of the breach. Here’s a sample of the fixes they have to build and maintain:
· Implement and maintain a breach response plan
· Assist customers in the event of a breach
· Improve network segmentation, firewalls, and access controls
· Improve patch management
· Improve logging and monitoring
· Provide better employee security training
· Encrypt entire database storing personally identifiable information
· Delete customer data that is no longer needed
· Accurately portray data retention and protection procedures
If your organization hasn’t yet engaged with cybersecurity, you could do far worse than looking at that list and seeing what you’re doing for each item.
This breach shows us that we need to seriously evaluate ourselves and our vendors and ask the hard questions of whether we’re doing all we can to make sure the money we’re trusted with is going to our teams and our missions, or if its been set aside to pay thieves and fines.
Sources: