Blackbaud Must Improve Poor Security, Data Retention Practices to Avoid Future Breaches, Says FTC

FTC describes Blackbaud's way of handling the data breaches as "reckless."

In a pivotal settlement with the Federal Trade Commission (FTC), Blackbaud, a prominent provider of cloud-based donor data management software, has addressed charges of lax security practices that led to a ransomware attack and a consequential data breach in May 2020.

The agency only wants Blackbaud to improve the way it handles any cybersecurity incident so as to mitigate the impact that the customers have to shoulder.

FTC's Allegations and Mandates for Improvement

Blackbaud Must Improve its Poor Security, Data Retention Practices to Avoid Future Breaches, Says FTC
After the ransomware attack in May 2020, FTC urged Blackbaud to improve its security to mitigate the impact on the affected people. Florian Olivo from Unsplash

The FTC's complaint outlines Blackbaud's failure to effectively monitor and thwart hacker attempts, implement strong data segmentation, delete unnecessary data, enforce multi-factor authentication, and assess security controls adequately.

According to the FTC, the settlement mandates significant improvements in security measures, including the implementation of multifactor authentication and the regular testing and review of security controls.

Addressing Password Vulnerabilities

The FTC's complaint points out a critical lapse in Blackbaud's practices related to employee passwords, highlighting the use of default, weak, or identical passwords. The settlement necessitates a fundamental shift in password policies, emphasizing the creation and adherence to strong, unique passwords to bolster overall security.

Establishing a Strong Data Retention Schedule

As part of the settlement terms, Blackbaud is required to develop a comprehensive data retention schedule. This schedule must outline the rationale behind retaining personal data and specify clear timelines for its deletion. This initiative aims to address concerns related to unnecessary data storage and reinforces the importance of timely data disposal.

Proactive Reporting and Accurate Disclosures

Apart from the ones mentioned above, the settlement places a strong emphasis on the accurate portrayal and communication of data security and retention practices.

According to Bleeping Computer, Blackbaud is prohibited from misleading representations and is required to promptly notify the FTC in the event of any future data breaches that warrant reporting to relevant authorities. This proactive approach ensures transparency in handling security incidents.

Lessons from the Ransomware Incident

Blackbaud's payment of a 24 Bitcoin ransom to the attackers in response to the threat of leaking stolen data is a critical lesson for the industry.

In addition to the FTC settlement, Blackbaud has faced financial repercussions, including a $3 million settlement with the SEC and a substantial $49.5 million settlement in a multi-state investigation.

"The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint," the FTC said on Thursday, Feb. 1.

Moving Forward with Accountability

The joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya acknowledges the severity of Blackbaud's failure to convey the full scope of the breach.

The agreement marks a pivotal step toward accountability to ensure that the organizations prioritize data security and transparency in their operations.

As Blackbaud navigates the aftermath of the settlement, the broader industry should be aware of the consequences if its cybersecurity practices are left untested and weak. There should be rounds of improvements done to safeguard the sensitive information effectively.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics