Blackbaud settles with FTC after that IT breach exposed millions of people’s info – Source: go.theregister.com

Blackbaud, which had data on millions of people stolen from it by one or more crooks, has promised to shore up its IT defenses in a proposed deal with the FTC.

In announcing the draft settlement, the US watchdog’s boss Lina Khan, Commissioner Rebecca Slaughter, and Commissioner Alvaro Bedoya blasted Blackbaud – a cloud software provider for schools, charities, and other orgs – for its “unfair and deceptive data security practices” in a statement [PDF].

“The FTC charges that Blackbaud’s reckless data retention practices rendered its security failures much more costly: by hoarding reams of data that it did not reasonably need, Blackbaud’s breach exposed far more data,” they said.

“Moreover, Blackbaud’s notification alerting victims of the breach included false statements, which Blackbaud did not correct until months later — and months after it knew the statements were false.”

Back in February 2020, according to a formal complaint [PDF] raised by the FTC, criminals broke into Blackbaud’s databases, remained undetected for three months, and stole files on about 13,000 of the biz’s customers. Those files contained “the personal information of millions of consumers,” the regulator said

After being detected, the intruders extorted the software maker, and Blackbaud allegedly agreed to pay the miscreants about $235,000 to quietly go away and delete any pilfered documents, according to the FTC complaint. However, Blackbaud wasn’t able to verify that the crims really did scrap the swiped data.

Then, in June 2020, the biz finally got around to alerting its customers about the privacy breach. At the time it assured them: “The cybercriminal did not access credit card information, bank account information, or social security numbers.”

This turned out to be false, we’re told. According to the FTC, Blackbaud knew as early as July 31, 2020, “that the attacker had exfiltrated consumers’ bank account numbers and social security numbers.” The business didn’t, however, disclose that to customers until October 2020.

• Cloud biz Blackbaud caved to ransomware gang’s demands – then neglected to inform customers for two months
• ‘We stopped ransomware’ boasts Blackbaud CEO. And by ‘stopped’ he means ‘got insurance to pay off crooks’
• What happens if you ‘cover up’ a ransomware infection? For Blackbaud, a $3m charge
• Biden will veto attempts to kill off SEC’s security breach reporting rules

In March 2023, Blackbaud agreed to pay $3 million to settle charges brought by America’s financial watchdog the SEC accusing the IT player of making misleading statements about its security fiasco.

Then in October that year, attorneys general from all 50 US states secured another $49.5 million settlement over Blackbaud’s “deficient data security practices and inadequate response” to the network breach.

As part of this latest settlement [PDF], brokered with the FTC, Blackbaud has agreed to delete or destroy customer backup files containing sensitive information that is not needed to provide products or services to these customers. That’s supposed to reduce the risk of personal data being stolen in future.

Blackbaud also agreed to publicize its updated data retention policy, outlining what specific customer info it maintains, why the outfit has it, and give a solid timeframe for deleting these files.

Plus, the firm has to put into place an overhauled infosec program that includes, among other things, multi-factor authentication; data loss tools; penetration testing; and encryption of, at a minimum, customers’ Social Security numbers, passport numbers, tax IDs, driving licenses and other government-issued identification, plus bank account, credit card, and debit card information, dates of birth, medical information, and user account credentials.

That last part is important because, according to the watchdog, Blackbaud’s failure to encrypt sensitive data, plus holding onto this information for far longer than was necessary, made the security breach far worse than it would have been otherwise.

A Blackbaud spokesperson told The Register the company neither admits nor denies any of the FTC’s allegations in its proposed settlement, which is awaiting final sign-off from the regulator.

“We are pleased to resolve this matter with the FTC,” said Mike Gianoni, president and CEO, Blackbaud. “Protecting our customers’ and their constituents’ privacy will always be of paramount importance to Blackbaud, and we continue to strengthen our cybersecurity and compliance programs with the goal of improving our resilience in an ever-changing threat landscape.” ®