DailyPost 2825
BLACKBAUD FINED
In a world where getting hacked is the new normal, ransom generated out of ransomware is a multibillion dollar industry, IT and other companies decide whimsically as to what should be their cyber security stance. Security should be commensurate to the threat, is a truism. The complexity of industry does not allow for very specific standards and also the methodologies of measuring it on fixed parameters. Nonetheless, the attacks can give you a very fair idea whether the cyber security was up to the mark or not. This becomes an indicator to prove deliberate negligence on the part of the company protecting customer data. Cyber security costs money and also needs availability of expertise, hence companies have learnt the art of cutting corners and mostly they have gotten away with it.
The companies also remain confident that they can play around with cyber security agencies, if any, and that they can project to meet all regulatory and governance requirements, as the case may be. The joy ride does not end here. Just in case the hackers come knocking, they have the playbook in place. They can manage the dissemination of facts and the media, in a way to *show that the hack was puny and that they are in control of things. The regulators have generally been managed with pliable tech data and equally pliable narrative. The courts now think differently and that is a welcome change.
The punishment for putting customers’ data at risk in this case has been awarded. The company in question is BlackBaud, a South Carolina based software company. Blackbaud suffered a ransomware attack in 2020. The conclusion reached now on the attack and the company is that the threat actors were able to reach BlackBaud’s systems and compromise data, largely because of the company’s poor cyber security practices and lack of encrypted data. Based on these findings California Attorney General’s office has ordered it to pay $6.75 million to settle the ransomware attack of May 2020.
The AG office was quite scathing, it said, “the attack occurred due to poor security practices.” BlackBaud during the course of investigation / trial had revealed that the threat actors compromised unencrypted social security numbers, bank account numbers and login credentials. Not satisfied with the way they messed with cyber security training and practice, they took a leap of faith. The company “then made misleading statements about the sufficiency of the data security efforts prior to the breach.” They were also not transparent about the extent of breach to its non-profit customers and the public. Nobody is ready to give a well calculated reply. Managing without guts and expertise seems to have become the evolving truism of life.
COMPANIES NEED TO BE PENALISED FOR THEIR LACKADAISICAL APPROACH TO CYBER SECURITY VERY SEVERELY.
Sanjay Sahay
Have a nice evening.