Blackbaud Inc. agreed to delete unnecessary personal data and implement stronger cybersecurity procedures under a settlement the cloud computing company reached with the Federal Trade Commission after a hacking incident stole personal information from millions of consumers in 2020.

In its administrative complaint, the FTC alleged that Blackbaud failed to use appropriate information security practices to protect consumers’ personal information, enabling a hacker to access a Blackbaud-hosted database in 2020. Blackbaud did not detect the invasion for three months and failed to notify its customers until two months after the discovery, at which time the company misrepresented the breach’s severity, the FTC alleged.