Education tech company Blackbaud has reached a settlement with the U.S. Federal Trade Commission (FTC) following a 2020 data breach. The FTC alleges that Blackbaud’s lax security protocols led to attackers breaching the company’s network and accessing the personal data of millions of consumers.
Key Takeaway
Blackbaud has agreed to delete extraneous data and reform its cybersecurity practices following the FTC’s allegations of lax security protocols and data retention practices.
Security Breach Details
The incident in February 2020 involved hackers using a customer’s credentials to gain access to Blackbaud’s network. The hackers remained undetected for over three months and exfiltrated large amounts of unencrypted sensitive consumer data, including Social Security and bank account numbers.
FTC Allegations
The FTC claims that Blackbaud knew as early as July 2020 that Social Security numbers and financial data had been stolen but did not disclose the full extent of the breach until later that October. Additionally, the company failed to verify that the stolen data had been deleted after agreeing to pay the attackers’ ransom of about $250,000.
FTC Complaint
According to the FTC’s complaint, Blackbaud failed to implement appropriate cybersecurity measures to prevent a data breach. The regulator also alleges that the company didn’t monitor attempts by hackers to breach its networks, segment data, adequately implement multi-factor authentication, or test, review and assess its corporate security controls.
FTC Charges
The FTC has charged Blackbaud with retaining consumer data for years beyond when it was needed, including for customers who had switched to products not affected by the breach, and even potential customers. The company has been accused of “reckless data retention practices” by retaining data it did not need.