Topics
a la mode
AI
Amazon
Image Credits:John Taylor(opens in a new window)/Flickr(opens in a new window)under aCC BY 2.0(opens in a new window)license.
Apps
Biotech & Health
Climate
Image Credits:John Taylor(opens in a new window)/Flickr(opens in a new window)under aCC BY 2.0(opens in a new window)license.
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
convenience
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
privateness
Robotics
Security
societal
Space
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
newssheet
Podcasts
video
Partner Content
TechCrunch Brand Studio
Crunchboard
get hold of Us
teaching technical school fellowship Blackbaud agreed to settle with the U.S. Federal Trade Commission over the company ’s surety practices that resulted in a 2020 data rift .
TheFTC say that Blackbaud , a U.S.-based company that provides fiscal and administrative computer software to colleges , nonprofit , healthcare organizations andfar - correct organization , had “ lax ” security measures protocol that allowed attackers to infract the troupe ’s meshing and enter the personal data of millions of consumer .
ThisFebruary 2020 incidentsaw malicious drudge practice a customer ’s certification to gain access to Blackbaud ’s web , where the cyberpunk remained undetected for over three months and exfiltrated monumental amounts of unencrypted tender consumer data point , include Social Security and coin bank score identification number .
The South Carolina - based Blackbaud told stirred customers at the time that only name , address , e-mail addresses and telephone numbers had been stolen , assert that “ the cybercriminal did not access mention card information , bank account statement information , or Social Security numbers . ”
Blackbaud , which the FTC claims knew as early as July 2020 that Social Security numbers and financial data had been steal , did n’t let on the full extent of the breach until later that October , nor did it aver that the stolen data had been deleted after agreeing to compensate the attackers ’ ransom of about $ 250,000 , the FTC said .
According to theFTC ’s complaint , Blackbaud failed to implement appropriate cybersecurity measures to prevent a data breach from happening . The governor also alleges that the company did n’t monitor attempts by hackers to gap its internet , segment data , adequately implement multi - factor authentication or test , critique and valuate its corporate surety controls . The company also allow employees to expend nonremittal , rickety or identical password , the complaint alleges , and failed to patch up superannuated software and system in a timely manner , go out customer networks at risk of cyberattacks .
Blackbaud also allowed customers to stash away Social Security numbers and bank building account information in unencrypted fields not specifically designated for those purpose , per the complaint . “ Blackbaud ’s substandard encoding practice magnified the severity of the data rift , ” the FTC said .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
The governor has also charged Blackbaud with retaining consumer information for years beyond when it was needed , including for “ customers who had switched to products not affected by the breach , and even likely client . ”
“ Blackbaud ’s shoddy security department and information keeping practices allowed a hacker to obtain sensitive personal information about millions of consumer , ” said Samuel Levine , manager of the FTC ’s Bureau of Consumer Protection . “ Companies have a province to secure data they asseverate and to delete information they no longer need . ”
In a joint statement , FTC chairman Lina Khan and fellow Democrat - appointed commissioners Rebecca Kelly Slaughter and Alvaro M. Bedoya accused the company of “ reckless data point retentivity practices ” by retaining datum the company did not need , they pronounce .
Blackbaud , which did not respond to TechCrunch ’s question , has agreed to blue-pencil external data point and reform its cybersecurity practices .
SEC charges Blackbaud for fail to disclose ‘ full shock ’ of ransomware attack
