Blackbaud has agreed to delete excess sensitive data it held about its customers and completely review its data retention and data security policies as part of the settlement it was formalized at the Federal Trade Commission (FTC), following a catastrophic data breach in 2020.
Blackbaud was breached in February 2020 by unnamed threat actors. The hackers targeted the company’s infrastructure for three months, quietly identifying and exfiltrating sensitive data. By the time they were done, they had siphoned off files from about 13,000 Blackbaud customers.
From that moment on the incident goes from bad to worse. First, Blackbaud tried to pay the attackers to make the problem go away, giving them $235,000 to delete the stolen files and never talk about them again. No one knows for sure whether the hackers actually deleted the files or not.
Dealing with the regulators
They then notified their customers of the breach and issued a false, misleading statement that only exacerbated the problem. Apparently it took Blackbaud four months to publish a statement, and when it did, it told customers that their credit card information, bank account information, or Social Security numbers were safe, which was not the case. The FTC claims that Blackbaud knew this was untrue as early as July 2020, but it took until October to correct the statement.
It then settled first with the SEC and paid $3 million in fines. It then settled with individual US states and paid another $49.5 million. Now the company has reached a settlement with the FTC, agreeing to delete or destroy backup files containing sensitive customer information, especially data it doesn’t need to function properly.
It should also update its data retention policies and publicly state what data it holds and why. Finally, it will have to completely revamp its security practices, including the introduction of multi-factor authentication, data loss tools, pentesting and encryption of user data.