Article Details

FTC orders Blackbaud to boost security after massive data breach. Blackbaud has settled with the Federal Trade Commission after being charged with poor security and reckless data retention practices, leading to a May 2020 ransomware attack and a data breach affecting millions of people. Blackbaud is a U.S.-based company listed on NASDAQ with operations in multiple countries and a provider of cloud-based donor data management software catering to nonprofit organizations, like charities, education organizations, and healthcare agencies. The FTC's complaint alleges that the company "failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls" and "allowed employees to use default, weak, or identical passwords for their accounts." As part of the settlement, the FTC ordered the software provider to improve its security measures and ensure that it deletes any customer data that is no longer needed from its systems. Blackbaud will also be barred from inaccurately portraying its data security and data retention protocols and will be required to create an information security program designed to rectify the concerns outlined in FTC's complaint. According to the proposed order, Blackbaud must also establish a data retention schedule detailing the rationale behind retaining personal data and specifying the timeline for its deletion. Blackbaud is also mandated to promptly notify the FTC in the event of a data breach that requires reporting to relevant local, state, or federal agencies. "Blackbaud's shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers. Companies have a responsibility to secure data they maintain and to delete data they no longer need," said Samuel Levine, Director of FTC's Bureau of Consumer Protection. ​The FTC says that Blackbaud paid the ransomware gang that stole the personal data belonging to millions of people from its systems a ransom of 24 Bitcoin (worth around $250,000 at the time) after the attackers threatened to leak the stolen data online. Blackbaud disclosed the breach in July 2020 and later revealed that it impacted data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands, including banking information, social security numbers, and plaintext credentials. It also submitted an 8-K filing with the U.S. Securities and Exchange Commission (SEC) in September 2020, which left out crucial details regarding the full scope of the breach and downplayed the risk associated with the sensitive stolen information, describing it as hypothetical, according to the SEC. By November 2020, the company was already a defendant in 23 proposed class-action lawsuits related to the May 2020 breach in the U.S. and Canada. Blackbaud agreed to pay $3 million in March 2023 to settle SEC charges highlighting its failure to disclose the ransomware attack's "full impact." In October, the cloud provider also agreed to pay $49.5 million to settle a joint multi-state investigation of the breach backed by attorneys general from 49 U.S. states. "Blackbaud's failure to accurately convey the scope and severity of the breach kept victims in the dark and delayed them from taking protective actions, making a bad situation even worse," said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement.