Blackbaud, which had information connected millions of group stolen from it by 1 aliases much crooks, has promised to statement up its IT defenses successful a projected woody pinch nan FTC.
In announcing nan draught settlement, nan US watchdog's leader Lina Khan, Commissioner Rebecca Slaughter, and Commissioner Alvaro Bedoya blasted Blackbaud – a unreality package supplier for schools, charities, and different orgs – for its "unfair and deceptive information information practices" successful a statement [PDF].
"The FTC charges that Blackbaud's reckless information retention practices rendered its information failures overmuch much costly: by hoarding reams of information that it did not reasonably need, Blackbaud's breach exposed acold much data," they said.
"Moreover, Blackbaud's notification alerting victims of nan breach included mendacious statements, which Blackbaud did not correct until months later — and months aft it knew nan statements were false."
Back successful February 2020, according to a general complaint [PDF] raised by nan FTC, criminals collapsed into Blackbaud's databases, remained undetected for 3 months, and stole files connected astir 13,000 of nan biz's customers. Those files contained "the individual accusation of millions of consumers," nan regulator said
After being detected, nan intruders extorted nan package maker, and Blackbaud allegedly agreed to pay nan miscreants astir $235,000 to softly spell distant and delete immoderate pilfered documents, according to nan FTC complaint. However, Blackbaud wasn't capable to verify that nan crims really did scrap nan swiped data.
Then, successful June 2020, nan biz yet sewage astir to alerting its customers astir nan privateness breach. At nan clip it assured them: "The cybercriminal did not entree in installments paper information, slope relationship information, aliases societal information numbers."
This turned retired to beryllium false, we're told. According to nan FTC, Blackbaud knew arsenic early arsenic July 31, 2020, "that nan attacker had exfiltrated consumers' slope relationship numbers and societal information numbers." The business didn't, however, disclose that to customers until October 2020.
- Cloud biz Blackbaud caved to ransomware gang's demands – past neglected to pass customers for 2 months
- 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he intends 'got security to salary disconnected crooks'
- What happens if you 'cover up' a ransomware infection? For Blackbaud, a $3m charge
- Biden will veto attempts to termination disconnected SEC's information breach reporting rules
In March 2023, Blackbaud agreed to pay $3 million to settee charges brought by America's financial watchdog nan SEC accusing nan IT subordinate of making misleading statements astir its information fiasco.
Then successful October that year, attorneys wide from each 50 US states secured different $49.5 cardinal settlement complete Blackbaud's "deficient information information practices and inadequate response" to nan web breach.
As portion of this latest settlement [PDF], brokered pinch nan FTC, Blackbaud has agreed to delete aliases destruct customer backup files containing delicate accusation that is not needed to supply products aliases services to these customers. That's expected to trim nan consequence of individual information being stolen successful future.
Blackbaud besides agreed to publicize its updated information retention policy, outlining what circumstantial customer info it maintains, why nan outfit has it, and springiness a coagulated timeframe for deleting these files.
Plus, nan patient has to put into spot an overhauled infosec programme that includes, among different things, multi-factor authentication; information nonaccomplishment tools; penetration testing; and encryption of, astatine a minimum, customers' Social Security numbers, passport numbers, taxation IDs, driving licenses and different government-issued identification, positive slope account, in installments card, and debit paper information, dates of birth, aesculapian information, and personification relationship credentials.
That past portion is important because, according to nan watchdog, Blackbaud's nonaccomplishment to encrypt delicate data, positive holding onto this accusation for acold longer than was necessary, made nan information breach acold worse than it would person been otherwise.
A Blackbaud spokesperson told The Register nan institution neither admits nor denies immoderate of nan FTC's allegations successful its projected settlement, which is awaiting last sign-off from nan regulator.
"We are pleased to resoluteness this matter pinch nan FTC," said Mike Gianoni, president and CEO, Blackbaud. "Protecting our customers' and their constituents' privateness will ever beryllium of paramount value to Blackbaud, and we proceed to fortify our cybersecurity and compliance programs pinch nan extremity of improving our resilience successful an ever-changing threat landscape." ®