Blackbaud has settled with the Federal Commerce Fee after being charged with poor safety and reckless information retention practices, resulting in a Might 2020 ransomware assault and an information breach affecting tens of millions of individuals.
Blackbaud is a U.S.-based firm listed on NASDAQ with operations in a number of international locations and a supplier of cloud-based donor information administration software program catering to nonprofit organizations, like charities, schooling organizations, and healthcare businesses.
The FTC’s grievance alleges that the corporate “failed to observe makes an attempt by hackers to breach its networks, section information to forestall hackers from simply accessing its networks and databases, guarantee information that’s not wanted is deleted, adequately implement multifactor authentication, and take a look at, evaluation and assess its safety controls” and “allowed staff to make use of default, weak, or an identical passwords for his or her accounts.”
As a part of the settlement, the FTC ordered the software program supplier to enhance its safety measures and be sure that it deletes any buyer information that’s not wanted from its programs.
Blackbaud may even be barred from inaccurately portraying its information safety and information retention protocols and can be required to create an info safety program designed to rectify the issues outlined in FTC’s grievance.
In keeping with the proposed order, Blackbaud should additionally set up an information retention schedule detailing the rationale behind retaining private information and specifying the timeline for its deletion. Blackbaud can also be mandated to promptly notify the FTC within the occasion of an information breach that requires reporting to related native, state, or federal businesses.
“Blackbaud’s shoddy safety and information retention practices allowed a hacker to acquire delicate private information about tens of millions of customers. Firms have a duty to safe information they preserve and to delete information they not want,” mentioned Samuel Levine, Director of FTC’s Bureau of Shopper Safety.
The FTC says that Blackbaud paid the ransomware gang that stole the non-public information belonging to tens of millions of individuals from its programs a ransom of 24 Bitcoin (price round $250,000 on the time) after the attackers threatened to leak the stolen information on-line.
“The corporate by no means verified, nonetheless, that the hacker truly deleted the stolen information, in line with the grievance,” the FTC mentioned on Thursday.
Blackbaud disclosed the breach in July 2020 and later revealed that it impacted information belonging to over 13,000 Blackbaud enterprise clients and their shoppers from the U.S., Canada, the U.Okay., and the Netherlands, together with banking info, social safety numbers, and plaintext credentials.
It additionally submitted an 8-Okay submitting with the U.S. Securities and Alternate Fee (SEC) in September 2020, which unnoticed essential particulars concerning the total scope of the breach and downplayed the danger related to the delicate stolen info, describing it as hypothetical, in line with the SEC.
By November 2020, the corporate was already a defendant in 23 proposed class-action lawsuits associated to the Might 2020 breach within the U.S. and Canada.
Blackbaud agreed to pay $3 million in March 2023 to settle SEC costs highlighting its failure to reveal the ransomware assault’s “full affect.”
In October, the cloud supplier additionally agreed to pay $49.5 million to settle a joint multi-state investigation of the breach backed by attorneys basic from 49 U.S. states.
“Blackbaud’s failure to precisely convey the scope and severity of the breach stored victims in the dead of night and delayed them from taking protecting actions, making a foul scenario even worse,” mentioned FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint assertion.
