At a glance.
- Blackbaud incident: insurance and litigation updates.
- Police use of Ring cameras.
Blackbaud costs begin to add up.
Blackbaud’s Q3 quarterly report has been submitted to the US Securities and Exchange Commission, and it details the financial toll that this summer’s massive breach has had on the company, Bleeping Computer reports. The cloud-based fundraising software provider confirmed it is being sued in twenty-three class-action lawsuits leveled by the breach victims. The list of impacted clients has been growing steadily since the summer and currently includes approximately two hundred and fifty organizations from the US, Canada, the UK, and the Netherlands.
In addition to the suits, Blackbaud has already poured over three million dollars into managing the fallout from the incident, and nearly three million dollars in accrued insurance recoveries. GovInfo Security reports that Blackbaud is confident the expenses will be covered by the company’s cybersecurity insurance. That said, more lawsuits are likely given the number of investigations and inquiries still being conducted by government agencies. (In the US, these include the Federal Trade Commission and the Department of Health and Human Services.) And although Blackbaud has paid the requested ransom, there's no guarantee that the attackers will keep their end of the bargain. Blackbaud could be paying for this breach for a long time.
The trend of ransomware stealing files and threatening to dox the victims in addition to simply encrypting data and rendering them unavailable began in late 2019 and gained steam over 2020. It’s now practically routine: at this point any ransomware infestation ought to be presumed to be a data breach as well, until proven otherwise. Coveware’s third-quarter ransomware report describes why expecting extortionists to live up to their end of a bargain to destroy stolen data amounts to a sucker's bet. Coveware presents the sorry track record of criminal dishonor, broken down by ransomware strain:
- “Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
- “Maze / Sekhmet / Egregor (related groups): Data posted on a leak site accidentally or willfully before the client understood there was data taken.
- “Netwalker: Data posted of companies that had paid for it not to be leaked
- “Mespinoza: Data posted of companies that had paid for it not to be leaked
- “Conti: Fake files are shown as proof of deletion.”
Ring camera as police surveillance device?
Police in the US state of Mississippi are launching a pilot program using private citizen’s Ring cameras as a means of keeping law enforcement abreast of crime in the area, reports Threatpost. During the forty-five-day program, participating residents and businesses will allow their camera footage to be livestreamed to police precincts. Though participation is voluntary, privacy advocates argue that the program amounts to overreach, allowing police to hide public surveillance behind privately-owned technology without obtaining general consent from the community. As American Civil Liberties Union (ACLU) analyst Matthew Guariglia puts it, “It evades the natural reaction of fear and distrust that many people would have if they learned police were putting up dozens of cameras on their block, one for every house.”
A spokesperson for the Amazon-owned company was quick to separate Ring from the program, stating “Ring is not working with any of the companies or the city in connection with this program.” However, this is not the first time that Ring’s privacy policies have been under scrutiny. Just over a year ago Ring was criticized by the ACLU and over thirty other advocacy groups for launching a “neighborhood watch” program allowing police to request footage from Ring owners in areas where crimes had occurred. And last year a vulnerability was discovered that could allow hackers to use the smart doorbell to infiltrate the user’s home Wi-Fi network, and although the flaw has been patched, questions remain about Ring’s security practices.