Education tech company Blackbaud agreed to settle with the U.S. Federal Trade Commission over the company’s security practices that resulted in a 2020 data breach.
The FTC alleges that Blackbaud, a U.S.-based company that provides financial and administrative software to colleges, nonprofits, healthcare organizations and far-right organizations, had “lax” security protocols that allowed attackers to breach the company’s network and access the personal data of millions of consumers.
This February 2020 incident saw malicious hackers use a customer’s credentials to gain access to Blackbaud’s network, where the hackers remained undetected for over three months and exfiltrated massive amounts of unencrypted sensitive consumer data, including Social Security and bank account numbers.
The South Carolina-based Blackbaud told affected customers at the time that only names, addresses, email addresses and telephone numbers had been stolen, asserting that “the cybercriminal did not access credit card information, bank account information, or Social Security numbers.”
Blackbaud, which the FTC claims knew as early as July 2020 that Social Security numbers and financial data had been stolen, didn’t disclose the full extent of the breach until later that October, nor did it verify that the stolen data had been deleted after agreeing to pay the attackers’ ransom of about $250,000, the FTC said.
According to the FTC’s complaint, Blackbaud failed to implement appropriate cybersecurity measures to prevent a data breach from happening. The regulator also alleges that the company didn’t monitor attempts by hackers to breach its networks, segment data, adequately implement multi-factor authentication or test, review and assess its corporate security controls. The company also permitted employees to use default, weak or identical passwords, the complaint alleges, and failed to patch outdated software and systems in a timely manner, leaving customer networks at risk of cyberattacks.
Blackbaud also allowed customers to store Social Security numbers and bank account information in unencrypted fields not specifically designated for those purposes, per the complaint. “Blackbaud’s deficient encryption practices magnified the severity of the data breach,” the FTC said.
The regulator has also charged Blackbaud with retaining consumer data for years beyond when it was needed, including for “customers who had switched to products not affected by the breach, and even potential customers.”
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
In a joint statement, FTC chairperson Lina Khan and fellow Democrat-appointed commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya accused the company of “reckless data retention practices” by retaining data the company did not need, they said.
Blackbaud, which did not respond to TechCrunch’s questions, has agreed to delete extraneous data and reform its cybersecurity practices.
SEC charges Blackbaud for failing to disclose ‘full impact’ of ransomware attack