Security News > 2024 > February > FTC orders Blackbaud to boost security after massive data breach

Blackbaud has settled with the Federal Trade Commission after being charged with poor security and reckless data retention practices, leading to a May 2020 ransomware attack and a data breach affecting millions of people.

The FTC's complaint alleges that the company "Failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls" and "Allowed employees to use default, weak, or identical passwords for their accounts."

Blackbaud will also be barred from inaccurately portraying its data security and data retention protocols and will be required to create an information security program designed to rectify the concerns outlined in FTC's complaint.

"Blackbaud's shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers. Companies have a responsibility to secure data they maintain and to delete data they no longer need," said Samuel Levine, Director of FTC's Bureau of Consumer Protection.

The FTC says that Blackbaud paid the ransomware gang that stole the personal data belonging to millions of people from its systems a ransom of 24 Bitcoin after the attackers threatened to leak the stolen data online.

Blackbaud disclosed the breach in July 2020 and later revealed that it impacted data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands, including banking information, social security numbers, and plaintext credentials.

News URL

https://www.bleepingcomputer.com/news/security/ftc-orders-blackbaud-to-boost-security-after-massive-data-breach/