Software company Blackbaud will be required to delete unnecessary data and boost cybersecurity as part of a proposed settlement with the Federal Trade Commission (FTC) stemming from a 2020 data breach.

The company’s poor data security allowed cybercriminals to steal sensitive data, including Social Security and bank account numbers, the FTC said in a press release Thursday.

In October, Blackbaud agreed to pay $49.5 million in a multistate settlement stemming from the data breach, about which the company allegedly failed to notify customers for two months. The company avoided further monetary penalties in reaching a settlement with the FTC but must abide by certain compliance undertakings as part of a proposed order.

The details: Blackbaud failed to monitor attempts by hackers to breach its networks; segment data to prevent hackers from easily accessing its networks and databases; ensure data that was no longer needed was deleted; adequately implement multifactor authentication; and test, review, and assess its security controls, the FTC alleged in its complaint.

When the ransomware attack occurred in 2020, the breach went undetected for three months, per the FTC. Upon discovery of the breach, the company paid a ransom of 24 bitcoin, worth $250,000 at the time, for the hackers to delete the stolen data. However, the company never verified if the hackers deleted the data, per the complaint.

Compliance considerations: As part of the proposed order, Blackbaud agreed to delete backup files containing covered information that is “not being retained in connection with providing products or services,” the order stated.

Further remedial efforts include:

  • Data retention limits;
  • Instituting an information security program;
  • Conducting an information security assessment by a third party and cooperating with the assessor;
  • Annually certifying its data security program with the chief information security officer’s assistance; and
  • Conducting proper compliance reporting, monitoring, and recordkeeping.

Company response: “We are pleased to resolve this matter with the FTC,” said Mike Gianoni, president and chief executive of Blackbaud, in a press release. “Protecting our customers’ and their constituents’ privacy will always be of paramount importance to Blackbaud, and we continue to strengthen our cybersecurity and compliance programs with the goal of improving our resilience in an ever-changing threat landscape.”

The company agreed to the settlement without admitting or denying the FTC’s findings.