Schooling tech firm Blackbaud agreed to settle with the U.S. Federal Commerce Fee over the corporate’s security practices that resulted in a 2020 data breach.
The FTC alleges that Blackbaud, a U.S.-based firm that gives monetary and administrative software program to high schools, nonprofits, healthcare organizations, and far-right organizations, had “lax” security protocols that allowed attackers to breach the corporate’s community and entry the private knowledge of thousands and thousands of shoppers.
This February 2020 incident noticed malicious hackers use a buyer’s credentials to achieve entry to Blackbaud’s community, the place the hackers remained undetected for over three months and exfiltrated large quantities of unencrypted delicate shopper knowledge, together with Social Safety and checking account numbers.
The South Carolina-based Blackbaud advised affected clients on the time that solely names, addresses, electronic mail addresses, and phone numbers had been stolen, asserting that “the cybercriminal didn’t entry bank card info, checking account info, or Social Safety numbers.”
Blackbaud, which the FTC claims Blackbaud knew as early as July 2020 that Social Safety numbers and monetary knowledge had been stolen, didn’t disclose the complete extent of the breach till later that October, nor did it confirm that the stolen knowledge had been deleted after agreeing to pay the attackers’ ransom of about $250,000, the FTC mentioned.
In accordance with the FTC’s grievance, Blackbaud did not implement applicable cybersecurity measures to stop a data breach from occurring. The regulator additionally alleges that the corporate didn’t monitor makes an attempt by hackers to breach its networks, phase knowledge, adequately implement multi-factor authentication, or check, assessment and assess its company security controls. The corporate additionally permitted workers to make use of default, weak, or an identical passwords, the grievance alleges, and did not patch outdated software program and methods in a well timed method, leaving buyer networks prone to cyberattacks.
Blackbaud additionally allowed clients to retailer Social Safety numbers and checking account info in unencrypted fields not particularly designated for these functions, per the grievance. “Blackbaud’s poor encryption practices magnified the severity of the data breach,” the FTC mentioned.
The regulator has additionally charged Blackbaud with retaining shopper knowledge for years past when it was wanted, together with for “clients who had switched to merchandise not affected by the breach, and even potential clients.”
“Blackbaud’s shoddy security and knowledge retention practices allowed a hacker to acquire delicate private knowledge about thousands and thousands of shoppers,” mentioned Samuel Levine, Director of the FTC’s Bureau of Shopper Safety. “Corporations have a duty to safe knowledge they keep and to delete knowledge they not want.”
Blackbaud, which didn’t reply to information.killnetswitch’s questions, has agreed to delete extraneous knowledge and reform its cybersecurity practices.
