Training tech firm Blackbaud agreed to settle with the U.S. Federal Commerce Fee over the corporate’s safety practices that resulted in a 2020 knowledge breach.

The FTC alleges that Blackbaud, a U.S.-based firm that gives monetary and administrative software program to schools, nonprofits, healthcare organizations, and far-right organizations, had “lax” safety protocols that allowed attackers to breach the corporate’s community and entry the private knowledge of tens of millions of customers.

This February 2020 incident noticed malicious hackers use a buyer’s credentials to realize entry to Blackbaud’s community, the place the hackers remained undetected for over three months and exfiltrated large quantities of unencrypted delicate shopper knowledge, together with Social Safety and checking account numbers.

The South Carolina-based Blackbaud informed affected prospects on the time that solely names, addresses, electronic mail addresses, and phone numbers had been stolen, asserting that “the cybercriminal didn’t entry bank card info, checking account info, or Social Safety numbers.”

Blackbaud, which the FTC claims Blackbaud knew as early as July 2020 that Social Safety numbers and monetary knowledge had been stolen, didn’t disclose the complete extent of the breach till  later that October, nor did it confirm that the stolen knowledge had been deleted after agreeing to pay the attackers’ ransom of about $250,000, the FTC stated.

Based on the FTC’s grievance, Blackbaud didn’t implement acceptable cybersecurity measures to forestall a knowledge breach from occurring. The regulator additionally alleges that the corporate didn’t monitor makes an attempt by hackers to breach its networks, phase knowledge, adequately implement multi-factor authentication, or check, overview and assess its company safety controls. The corporate additionally permitted staff to make use of default, weak, or similar passwords, the grievance alleges, and didn’t patch outdated software program and techniques in a well timed method, leaving buyer networks susceptible to cyberattacks.

Blackbaud additionally allowed prospects to retailer Social Safety numbers and checking account info in unencrypted fields not particularly designated for these functions, per the grievance. “Blackbaud’s poor encryption practices magnified the severity of the information breach,” the FTC stated.

The regulator has additionally charged Blackbaud with retaining shopper knowledge for years past when it was wanted, together with for “prospects who had switched to merchandise not affected by the breach, and even potential prospects.”

“Blackbaud’s shoddy safety and knowledge retention practices allowed a hacker to acquire delicate private knowledge about tens of millions of customers,” stated Samuel Levine, Director of the FTC’s Bureau of Client Safety. “Firms have a accountability to safe knowledge they preserve and to delete knowledge they not want.”

In a joint assertion, FTC chairperson Lina Kahn and fellow Democrat-appointed commissioners Rebecca Kelly Slaughter Alvaro M. Bedoya accused the corporate of “reckless knowledge retention practices” by retaining knowledge the corporate didn’t want, they stated.

Blackbaud, which didn’t reply to TechCrunch’s questions, has agreed to delete extraneous knowledge and reform its cybersecurity practices.