Education technology company Blackbaud has agreed to a settlement with the U.S. Federal Trade Commission over its security practices that led to a 2020 data breach.
The FTC said “lax” security protocols at Blackbaud, a U.S.-based company that provides financial and management software to universities, nonprofits, medical institutions, and far-right organizations, allowed attackers to infiltrate the company's network and collect personal data. claims to have access to. Millions of consumers.
In this February 2020 incident, a malicious hacker used a customer's credentials to gain access to Blackbaud's network, and the hacker remained undetected for more than three months, stealing large amounts of cryptographic data including Social Security and bank account numbers. leaked confidential consumer data.
South Carolina-based Blackbaud told affected customers at the time that only their names, addresses, email addresses, and phone numbers were stolen. “I did not access social security numbers.”
The FTC alleges that it knew as early as July 2020 that Social Security numbers and financial data had been stolen, but did not disclose the full extent of the breach until late October of the same year. Nor did it confirm that the data had since been deleted. The FTC said it agreed to pay the attackers a ransom of approximately $250,000.
According to the FTC's complaint, Blackbaud did not have adequate cybersecurity measures in place to prevent the data breach from occurring. Regulators also allege that the company failed to monitor attempts by hackers to penetrate its network, segment data, properly implement multi-factor authentication, or test, review, or evaluate corporate security controls. The company also exposed its customers' networks to cyberattacks by allowing employees to use weak or identical default passwords and failing to patch outdated software and systems in a timely manner, the complaint alleges. claims.
According to the complaint, Blackbaud also allowed customers to store social security numbers and bank account information in unencrypted fields not specifically designated for that purpose. “Blackbaud's poor encryption practices increased the severity of the data breach,” the FTC said.
Regulators also accused Blackbaud of retaining consumer data, including “customers who have switched to products not affected by the breach, and even potential customers,” for years beyond what was necessary. Accused.
“Blackbaud's lax security and data retention practices allowed hackers to obtain sensitive personal data about millions of consumers,” said FTC Consumer Protection Director Samuel Levin. Stated. “Companies have a responsibility to secure the data they hold and delete data that is no longer needed.”
In a joint statement, FTC Chair Lina Khan and fellow Democratic-appointed commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya called the company “reckless” in keeping data it doesn't need. It accused the company of “inappropriate data retention practices.”
Blackbaud did not respond to TechCrunch's questions, but agreed to delete irrelevant data and reform its cybersecurity practices.