In a pivotal settlement with the Federal Trade Commission (FTC), Blackbaud, a prominent provider of cloud-based donor data management software, has addressed charges of lax security practices that led to a ransomware attack and a consequential data breach in May 2020. 

The agency only wants Blackbaud to improve the way it handles any cybersecurity incident so as to mitigate the impact that the customers have to shoulder.

FTC's Allegations and Mandates for Improvement

The FTC's complaint outlines Blackbaud's failure to effectively monitor and thwart hacker attempts, implement strong data segmentation, delete unnecessary data, enforce multi-factor authentication, and assess security controls adequately. 

According to the FTC, the settlement mandates significant improvements in security measures, including the implementation of multifactor authentication and the regular testing and review of security controls.

Related Article: New York Attorney General Files Lawsuit Against Citibank Over Failed Anti-Breach Practices

Addressing Password Vulnerabilities

The FTC's complaint points out a critical lapse in Blackbaud's practices related to employee passwords, highlighting the use of default, weak, or identical passwords. The settlement necessitates a fundamental shift in password policies, emphasizing the creation and adherence to strong, unique passwords to bolster overall security.

Establishing a Strong Data Retention Schedule

As part of the settlement terms, Blackbaud is required to develop a comprehensive data retention schedule. This schedule must outline the rationale behind retaining personal data and specify clear timelines for its deletion. This initiative aims to address concerns related to unnecessary data storage and reinforces the importance of timely data disposal.

Proactive Reporting and Accurate Disclosures

Apart from the ones mentioned above, the settlement places a strong emphasis on the accurate portrayal and communication of data security and retention practices. 

According to Bleeping Computer, Blackbaud is prohibited from misleading representations and is required to promptly notify the FTC in the event of any future data breaches that warrant reporting to relevant authorities. This proactive approach ensures transparency in handling security incidents.

Lessons from the Ransomware Incident

Blackbaud's payment of a 24 Bitcoin ransom to the attackers in response to the threat of leaking stolen data is a critical lesson for the industry.

In addition to the FTC settlement, Blackbaud has faced financial repercussions, including a $3 million settlement with the SEC and a substantial $49.5 million settlement in a multi-state investigation. 

"The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint," the FTC said on Thursday, Feb. 1.

Moving Forward with Accountability

The joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya acknowledges the severity of Blackbaud's failure to convey the full scope of the breach.

The agreement marks a pivotal step toward accountability to ensure that the organizations prioritize data security and transparency in their operations.

As Blackbaud navigates the aftermath of the settlement, the broader industry should be aware of the consequences if its cybersecurity practices are left untested and weak. There should be rounds of improvements done to safeguard the sensitive information effectively.

Read Also: 23andMe Blames Victims for Stolen Data in Latest Letter