FTC orders Blackbaud to overtake ‘reckless’ safety practices in wake of 2020 breach
Schooling tech corporate Blackbaud correct to choose with the U.S. Federal Industry Fee over the corporate’s safety practices that ended in a 2020 knowledge breach.
The FTC alleges that Blackbaud, a U.S.-based corporate that gives monetary and administrative instrument to varsities, nonprofits, healthcare organizations, and far-right organizations, had “lax” safety protocols that allowed attackers to breach the corporate’s community and get right of entry to the non-public knowledge of thousands and thousands of customers.
This February 2020 incident noticed evil hackers virtue a buyer’s credentials to realize get right of entry to to Blackbaud’s community, the place the hackers remained undetected for over 3 months and exfiltrated immense quantities of unencrypted delicate shopper knowledge, together with Social Safety and storehouse account numbers.
The South Carolina-based Blackbaud advised affected consumers on the month that most effective names, addresses, e mail addresses, and phone numbers have been stolen, announcing that “the cybercriminal did not access credit card information, bank account information, or Social Security numbers.”
Blackbaud, which the FTC claims Blackbaud knew as early as July 2020 that Social Safety numbers and fiscal knowledge have been stolen, didn’t divulge the total extent of the breach till then that October, nor did it check that the stolen knowledge have been deleted upcoming agreeing to pay the attackers’ ransom of about $250,000, the FTC mentioned.
In step with the FTC’s complaint, Blackbaud did not put in force suitable cybersecurity measures to cancel a knowledge breach from taking place. The regulator additionally alleges that the corporate didn’t observe makes an attempt via hackers to breach its networks, area knowledge, adequately put in force multi-factor authentication, or take a look at, overview and assess its company safety controls. The corporate additionally authorized workers to virtue default, susceptible, or an identical passwords, the grievance alleges, and did not area old-fashioned instrument and programs in a well timed method, retirement buyer networks liable to cyberattacks.
Blackbaud additionally allowed consumers to bundle Social Safety numbers and storehouse account data in unencrypted subjects now not in particular designated for the ones functions, in keeping with the grievance. “Blackbaud’s deficient encryption practices magnified the severity of the data breach,” the FTC mentioned.
The regulator has additionally charged Blackbaud with maintaining shopper knowledge for years past when it was once wanted, together with for “customers who had switched to products not affected by the breach, and even potential customers.”
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” mentioned Samuel Levine, Director of the FTC’s Bureau of Client Coverage. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
In a joint commentary, FTC chairperson Lina Kahn and fellow Democrat-appointed commissioners Rebecca Kelly Slaughter Alvaro M. Bedoya accused the corporate of “reckless data retention practices” via maintaining knowledge the corporate didn’t want, they mentioned.
Blackbaud, which failed to reply to TechCrunch’s questions, has correct to delete extraneous knowledge and reform its cybersecurity practices.
