FTC orders Blackbaud to overtake ‘reckless’ safety practices in wake of 2020 breach

Training tech firm Blackbaud agreed to settle with the U.S. Federal Commerce Fee over the corporate’s safety practices that resulted in a 2020 information breach.

The FTC alleges that Blackbaud, a U.S.-based firm that gives monetary and administrative software program to schools, nonprofits, healthcare organizations, and far-right organizations, had “lax” safety protocols that allowed attackers to breach the corporate’s community and entry the non-public information of thousands and thousands of shoppers.

This February 2020 incident noticed malicious hackers use a buyer’s credentials to realize entry to Blackbaud’s community, the place the hackers remained undetected for over three months and exfiltrated huge quantities of unencrypted delicate shopper information, together with Social Safety and checking account numbers.

The South Carolina-based Blackbaud instructed affected prospects on the time that solely names, addresses, e mail addresses, and phone numbers had been stolen, asserting that “the cybercriminal didn’t entry bank card data, checking account data, or Social Safety numbers.”

Blackbaud, which the FTC claims Blackbaud knew as early as July 2020 that Social Safety numbers and monetary information had been stolen, didn’t disclose the total extent of the breach till  later that October, nor did it confirm that the stolen information had been deleted after agreeing to pay the attackers’ ransom of about $250,000, the FTC stated.

In line with the FTC’s grievance, Blackbaud did not implement applicable cybersecurity measures to stop a knowledge breach from taking place. The regulator additionally alleges that the corporate didn’t monitor makes an attempt by hackers to breach its networks, phase information, adequately implement multi-factor authentication, or take a look at, overview and assess its company safety controls. The corporate additionally permitted workers to make use of default, weak, or similar passwords, the grievance alleges, and did not patch outdated software program and methods in a well timed method, leaving buyer networks prone to cyberattacks.

Blackbaud additionally allowed prospects to retailer Social Safety numbers and checking account data in unencrypted fields not particularly designated for these functions, per the grievance. “Blackbaud’s poor encryption practices magnified the severity of the information breach,” the FTC stated.

The regulator has additionally charged Blackbaud with retaining shopper information for years past when it was wanted, together with for “prospects who had switched to merchandise not affected by the breach, and even potential prospects.”

“Blackbaud’s shoddy safety and information retention practices allowed a hacker to acquire delicate private information about thousands and thousands of shoppers,” stated Samuel Levine, Director of the FTC’s Bureau of Shopper Safety. “Corporations have a duty to safe information they keep and to delete information they not want.”

In a joint assertion, FTC chairperson Lina Kahn and fellow Democrat-appointed commissioners Rebecca Kelly Slaughter Alvaro M. Bedoya accused the corporate of “reckless information retention practices” by retaining information the corporate didn’t want, they stated.

Blackbaud, which didn’t reply to TechCrunch’s questions, has agreed to delete extraneous information and reform its cybersecurity practices.

Leave a Comment