Back in February 2020, according to a formal complaint [PDF] raised by the FTC, criminals broke into Blackbaud's databases, remained undetected for three months, and stole files on about 13,000 of the biz's customers.
The intruders extorted the software maker, and Blackbaud allegedly agreed to pay the miscreants about $235,000 to quietly go away and delete any pilfered documents, according to the FTC complaint.
Blackbaud wasn't able to verify that the crims really did scrap the swiped data.
In June 2020, the biz finally got around to alerting its customers about the privacy breach.
In March 2023, Blackbaud agreed to pay $3 million to settle charges brought by America's financial watchdog the SEC accusing the IT player of making misleading statements about its security fiasco.
As part of this latest settlement [PDF], brokered with the FTC, Blackbaud has agreed to delete or destroy customer backup files containing sensitive information that is not needed to provide products or services to these customers.
That's supposed to reduce the risk of personal data being stolen in future.
Blackbaud also agreed to publicize its updated data retention policy, outlining what specific customer info it maintains, why the outfit has it, and give a solid timeframe for deleting these files.
Plus, the firm has to put into place an overhauled infosec program that includes, among other things, multi-factor authentication; data loss tools; penetration testing; and encryption of, at a minimum, customers' Social Security numbers, passport numbers, tax IDs, driving licenses and other government-issued identification, plus bank account, credit card, and debit card information, dates of birth, medical information, and user account credentials.
That last part is important because, according to the watchdog, Blackbaud's failure to encrypt sensitive data, plus holding onto this information for far longer than was necessary, made the security breach far worse than it would have been otherwise.
A Blackbaud spokesperson told The Register the company neither admits nor denies any of the FTC's allegations in its proposed settlement, which is awaiting final sign-off from the regulator.
This Cyber News was published on go.theregister.com. Publication date: Fri, 02 Feb 2024 21:43:15 +0000