Data and software services firm Blackbaud’s cybersecurity was criticised as “lax” and “shoddy” by the United States Federal Trade Commission (FTC) in a damning post-mortem of the business’s February 2020 data breach.

According to the FTC, Blackbaud’s poor security breach in February 2020 led to a hacker accessing the company’s customer databases and stealing personal information of millions of consumers in the United States, Canada, the UK, and the Netherlands.

Blackbaud’s affected customers are mainly non-profits, such as healthcare agencies, charities, and educational organizations.

Data stolen by the hacker included unencrypted personal information, such as consumers’ and donors’ full names, ages, dates of birth, social security numbers, addresses, phone numbers, email addresses, financial details (bank account information, estimated wealth, and identified assets), medical and health insurance information, gender, religious beliefs, marital status, spouse names, spouses’ donation history, employment details, salaries, education, and account credentials.

The security failure was exacerbated by Blackbaud not enforcing its own data retention policies, causing customer data to be kept for years longer than necessary. Blackbaud also retained data of former and potential customers for years longer than required.

All of which was a treasure trove for the attacker, who demanded a ransom from Blackbaud or threatened to expose the stolen data. The company paid 24 Bitcoin (worth US $235,000) to the hacker, but was not able to verify if the deleted the data.

The poor data retention practices were not the FTC’s only complaints about Blackbaud’s handling of the incident.

The FTC criticized the company for not notifying customers of the breach for two months after detection, saying Blackbaud had “misrepresented the scope and severity of the breach after an exceedingly inaccurate investigation.”

According to Blackbaud’s customer breach notification of July 16, 2020, “The cybercriminal did not access credit card information, bank account information, or social security numbers… No action is required on your end because no personal information about your constituents was…