Education technology company Blackbaud has agreed to settle with the US Federal Trade Commission over the company’s security practices that led to a 2020 data breach.
The The FTC alleges that Blackbauda US-based company that provides financial and management software to colleges, nonprofits, health care organizations and far-right organizations had “lax” security protocols that allowed attackers to breach the company’s network and access the personal data of millions consumers.
This February 2020 incident saw malicious hackers use a customer’s credentials to gain access to Blackbaud’s network, where the hackers went undetected for more than three months and made off with massive amounts of unencrypted sensitive consumer data, including social security numbers and bank accounts.
South Carolina-based Blackbaud told affected customers at the time that only names, addresses, email addresses and phone numbers were stolen, claiming that “the cybercriminal did not have access to credit card information, bank account information or Social Security numbers ».
Blackbaud, which the FTC alleges Blackbaud knew as early as July 2020 that Social Security numbers and financial data had been stolen, did not disclose the full extent of the breach until later in October, nor did it verify that the stolen data had been deleted after it agreed to pay the attackers a ransom of about $250,000, the FTC said.
According to The FTC Complaint, Blackbaud failed to implement appropriate cybersecurity measures to prevent the data breach. The regulator also alleges that the company failed to monitor hackers’ attempts to breach its networks, segment data, adequately implement multi-factor authentication, or test, review and evaluate its corporate security controls. The company also allowed employees to use default, weak or identical passwords, the complaint alleges, and failed to patch outdated software and systems in a timely manner, leaving customer networks vulnerable to cyberattacks.
Blackbaud also allowed customers to store Social Security numbers and bank account information in unencrypted fields not specifically designated for those purposes, according to the complaint. “Blackbaud’s poor encryption practices increased the severity of the data breach,” the FTC said.
The regulator has also charged Blackbaud with keeping consumer data for years longer than necessary, including “customers who had switched to products unaffected by the breach, and even potential customers.”
“Blackbaud’s poor security and data retention practices allowed a hacker to obtain sensitive personal data for millions of consumers,” said Samuel Levine, Director of the FTC’s Office of Consumer Protection. “Companies have a responsibility to protect the data they hold and delete data they no longer need.”
In a joint statement, FTC Chair Lina Kahn and commissioners appointed by fellow Democrats Rebecca Kelly Slaughter Alvaro M. Bedoya accused the company of “reckless data retention practices” by keeping data the company did not need, they said.
Blackbaud, which did not respond to TechCrunch’s questions, agreed to delete the extraneous data and reform its cyber practices.