Blackbaud has settled with the Federal Trade Commission after being charged with poor security and reckless data retention practices, leading to a May 2020 ransomware attack and a data breach affecting millions of people.
Blackbaud is a U.S.-based company listed on NASDAQ with operations in multiple countries and a provider of cloud-based donor data management software catering to nonprofit organizations, like charities, education organizations, and healthcare agencies.
As part of the settlement, the FTC ordered the software provider to improve its security measures and ensure that it deletes any customer data that is no longer needed from its systems.
Blackbaud will also be barred from inaccurately portraying its data security and data retention protocols and will be required to create an information security program designed to rectify the concerns outlined in FTC's complaint.
According to the proposed order, Blackbaud must also establish a data retention schedule detailing the rationale behind retaining personal data and specifying the timeline for its deletion.
Blackbaud is also mandated to promptly notify the FTC in the event of a data breach that requires reporting to relevant local, state, or federal agencies.
The FTC says that Blackbaud paid the ransomware gang that stole the personal data belonging to millions of people from its systems a ransom of 24 Bitcoin after the attackers threatened to leak the stolen data online.
Blackbaud disclosed the breach in July 2020 and later revealed that it impacted data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands, including banking information, social security numbers, and plaintext credentials.
It also submitted an 8-K filing with the U.S. Securities and Exchange Commission in September 2020, which left out crucial details regarding the full scope of the breach and downplayed the risk associated with the sensitive stolen information, describing it as hypothetical, according to the SEC. By November 2020, the company was already a defendant in 23 proposed class-action lawsuits related to the May 2020 breach in the U.S. and Canada.
In October, the cloud provider also agreed to pay $49.5 million to settle a joint multi-state investigation of the breach backed by attorneys general from 49 U.S. states.
Johnson Controls says ransomware attack cost $27 million, data stolen.
LoanDepot cyberattack causes data breach for 16.6 million people.
Vans, North Face owner says ransomware breach affects 35 million people.
MGM Resorts ransomware attack led to $100 million loss, data theft.
Fidelity National Financial: Hackers stole data of 1.3 million people.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 01 Feb 2024 22:25:14 +0000