Blackbaud has agreed to delete excess sensitive data it held on its customers, and completely revamp its data retention and data security policies as part of the settlement it formalized with the Federal Trade Commission (FTC), following a catastrophic data breach that happened in 2020.
Blackbaud was breached in February 2020 by unnamed threat actors. The hackers dwelled on the company’s infrastructure for three months, quietly identifying and exfiltrating sensitive data. By the time they were done, they siphoned out files on roughly 13,000 Blackbaud customers.
From that moment, the incident goes from bad to worse. First, Blackbaud tried to pay the attackers to make the problem go away, giving them $235,000 to delete the stolen files and never talk about them again. No one knows for sure if the hackers really deleted the files, or not.
Settling with the regulators
Then, they notified their customers about the breach and gave a false, misleading statement that only exacerbated the problem. Apparently, Blackbaud took four months to publish a statement, and when it did, it told the customers that their credit card information, bank account information, or social security numbers were safe, which they were not. The FTC claims Blackbaud knew this was false as early as July 2020, but took until October to rectify the statement.
Then it first settled with the SEC, paying $3 million in fines. Then it settled with individual U.S. states, paying an additional $49.5 million. Now, it settled with the FTC, agreeing to delete or destroy backup files containing sensitive customer information, especially data it doesn’t need in order to operate properly.
It also needs to update its data retention policy and publicly state which data it contains and why. Finally, it will need to completely revamp its security practices, which includes introducing multifactor authentication, data loss tools, pentesting, and user data encryption.