Blackbaud has settled with the Federal Commerce Fee after being charged with poor security and reckless knowledge retention practices, resulting in a Might 2020 ransomware assault and a data breach affecting hundreds of thousands of individuals.
Blackbaud is a U.S.-based firm listed on NASDAQ with operations in a number of nations and a supplier of cloud-based donor knowledge administration software program catering to nonprofit organizations, like charities, training organizations, and healthcare businesses.
The FTC’s criticism alleges that the corporate “failed to observe makes an attempt by hackers to breach its networks, section knowledge to forestall hackers from simply accessing its networks and databases, guarantee knowledge that’s now not wanted is deleted, adequately implement multifactor authentication, and check, overview and assess its security controls” and “allowed staff to make use of default, weak, or equivalent passwords for his or her accounts.”
As a part of the settlement, the FTC ordered the software program supplier to enhance its security measures and be sure that it deletes any buyer knowledge that’s now not wanted from its methods.
Blackbaud will even be barred from inaccurately portraying its knowledge security and knowledge retention protocols and might be required to create an data security program designed to rectify the issues outlined in FTC’s criticism.
Based on the proposed order, Blackbaud should additionally set up a knowledge retention schedule detailing the rationale behind retaining private knowledge and specifying the timeline for its deletion. Blackbaud can also be mandated to promptly notify the FTC within the occasion of a data breach that requires reporting to related native, state, or federal businesses.
“Blackbaud’s shoddy security and knowledge retention practices allowed a hacker to acquire delicate private knowledge about hundreds of thousands of shoppers. Corporations have a duty to safe knowledge they keep and to delete knowledge they now not want,” stated Samuel Levine, Director of FTC’s Bureau of Client Safety.
The FTC says that Blackbaud paid the ransomware gang that stole the non-public knowledge belonging to hundreds of thousands of individuals from its methods a ransom of 24 Bitcoin (price round $250,000 on the time) after the attackers threatened to leak the stolen knowledge on-line.
“The corporate by no means verified, nevertheless, that the hacker really deleted the stolen knowledge, in accordance with the criticism,” the FTC stated on Thursday.
Blackbaud disclosed the breach in July 2020 and later revealed that it impacted knowledge belonging to over 13,000 Blackbaud enterprise clients and their purchasers from the U.S., Canada, the U.Okay., and the Netherlands, together with banking data, social security numbers, and plaintext credentials.
It additionally submitted an 8-Okay submitting with the U.S. Securities and Alternate Fee (SEC) in September 2020, which omitted essential particulars relating to the total scope of the breach and downplayed the danger related to the delicate stolen data, describing it as hypothetical, in accordance with the SEC.
By November 2020, the corporate was already a defendant in 23 proposed class-action lawsuits associated to the Might 2020 breach within the U.S. and Canada.
Blackbaud agreed to pay $3 million in March 2023 to settle SEC expenses highlighting its failure to reveal the ransomware assault’s “full influence.”
In October, the cloud supplier additionally agreed to pay $49.5 million to settle a joint multi-state investigation of the breach backed by attorneys basic from 49 U.S. states.
“Blackbaud’s failure to precisely convey the scope and severity of the breach saved victims in the dead of night and delayed them from taking protecting actions, making a foul scenario even worse,” stated FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint assertion.
