Training tech firm Blackbaud agreed to settle with the U.S. Federal Commerce Fee over the corporate’s safety practices that resulted in a 2020 knowledge breach.
The FTC alleges that Blackbaud, a U.S.-based firm that gives monetary and administrative software program to high schools, nonprofits, healthcare organizations and far-right organizations, had “lax” safety protocols that allowed attackers to breach the corporate’s community and entry the non-public knowledge of tens of millions of customers.
This February 2020 incident noticed malicious hackers use a buyer’s credentials to realize entry to Blackbaud’s community, the place the hackers remained undetected for over three months and exfiltrated huge quantities of unencrypted delicate shopper knowledge, together with Social Safety and checking account numbers.
The South Carolina-based Blackbaud advised affected clients on the time that solely names, addresses, e mail addresses and phone numbers had been stolen, asserting that “the cybercriminal did not access credit card information, bank account information, or Social Security numbers.”
Blackbaud, which the FTC claims knew as early as July 2020 that Social Safety numbers and monetary knowledge had been stolen, didn’t disclose the total extent of the breach till later that October, nor did it confirm that the stolen knowledge had been deleted after agreeing to pay the attackers’ ransom of about $250,000, the FTC mentioned.
In line with the FTC’s complaint, Blackbaud didn’t implement acceptable cybersecurity measures to stop an information breach from occurring. The regulator additionally alleges that the corporate didn’t monitor makes an attempt by hackers to breach its networks, section knowledge, adequately implement multi-factor authentication or take a look at, evaluate and assess its company safety controls. The corporate additionally permitted staff to make use of default, weak or an identical passwords, the criticism alleges, and didn’t patch outdated software program and methods in a well timed method, leaving buyer networks susceptible to cyberattacks.
Blackbaud additionally allowed clients to retailer Social Safety numbers and checking account data in unencrypted fields not particularly designated for these functions, per the criticism. “Blackbaud’s deficient encryption practices magnified the severity of the data breach,” the FTC mentioned.
The regulator has additionally charged Blackbaud with retaining shopper knowledge for years past when it was wanted, together with for “customers who had switched to products not affected by the breach, and even potential customers.”
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” mentioned Samuel Levine, director of the FTC’s Bureau of Client Safety. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
In a joint assertion, FTC chairperson Lina Khan and fellow Democrat-appointed commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya accused the corporate of “reckless data retention practices” by retaining knowledge the corporate didn’t want, they mentioned.
Blackbaud, which didn’t reply to TechCrunch’s questions, has agreed to delete extraneous knowledge and reform its cybersecurity practices.
