The FTC has reached a settlement with fundraising software provider Blackbaud over poor security practices that led to a significant data breach.
Hackers accessed Blackbaud systems in early 2020 and obtained vast amounts of sensitive customer data. The company failed to detect the breach for three months, then waited nearly two months to disclose the incident, and even then it initially downplayed its extent.
Blackbaud agreed to pay a 24 bitcoin ($250,000) ransom to the cybercriminals, but did not take steps to ensure that they would actually delete the stolen data, the FTC said.
In its complaint, the government watchdog said Blackbaud had poor security practices in several areas, including failure to encrypt sensitive customer data, to properly monitor and segment its network, to implement multifactor authentication and prevent the use of weak passwords, and to delete data that was no longer needed.
As part of the settlement with the FTC, Blackbaud will have to develop a comprehensive information security program, and delete data that is no longer needed to provide its products and services.
This comes just months after Blackbaud agreed to pay $49.5 million to settle data breach claims brought by the attorneys general of 49 states and Washington, DC.
“This is one more example that the FTC is artfully and progressively policing US cyber space for poor data protection practices, which may fall under Article 5(a) of the FTC Act (‘unfair and/or deceptive acts or practices’),” Ilia Kolochenko, CEO and chief architect at ImmuniWeb, told SecurityWeek.
“The ‘Mandated Information Security Program’ section of the FTC Order to Blackbaud is very detailed and covers virtually all technical aspects of a comprehensive cybersecurity program. Non-compliance with the Order can be punished with a hefty monetary fine, so cybersecurity will likely become a high priority for Blackbaud during the next years.” added Kolochenko, who is also an adjunct professor of cybersecurity and cyber law at Capital Technology University.