Cybersecurity student here (Albeit only in my first semester, so I can't call myself an expert yet). One thing you should NEVER do is try to invent your own "clever" cryptography or obfuscation algorithm for sensitive information. ALWAYS follow established industry standard best practices and use established algorithms that have undergone years of intense scrutiny and battle testing.

Better yet, don't send sensitive information to the client at all. There is no reason for the client to have access to the account ID, even obfuscated. Account blacklisting should have been processed entirely on the server side, and if there is a performance hit to the servers, SE should just accept it and get stronger hardware if necessary.

SE needs to hire a proper cybersecurity expert, preferably full time, or at least as a consultant.