Blackbaud, a major player in U.S. donor data management, recently settled with the Federal Trade Commission (FTC) after facing scrutiny for a ransomware attack in May 2020. This attack led to a substantial data breach affecting millions of individuals. The FTC's concerns revolved around security lapses, including weak passwords and insufficient monitoring of hacking attempts. The settlement marks a crucial step for Blackbaud, emphasising the need for enhanced security measures and data protection.
The FTC's complaint highlighted various security lapses by Blackbaud, including a failure to monitor hacking attempts, inadequate data segmentation, weak password practices, and a lack of multifactor authentication. As part of the settlement, Blackbaud is now mandated to enhance its security measures and delete unnecessary customer data from its systems.
One crucial aspect of the settlement requires Blackbaud to establish a data retention schedule, outlining the rationale behind retaining personal data and specifying a timeline for its deletion. The company is also obligated to promptly notify the FTC in the event of a data breach requiring reporting to relevant authorities.
The FTC alleges that Blackbaud paid a ransom of 24 Bitcoin (worth around $250,000 at the time) to the ransomware gang that stole sensitive personal data. However, the complaint reveals that the company did not verify whether the hacker actually deleted the stolen data. The breach, disclosed in July 2020, impacted over 13,000 Blackbaud business customers and their clients across the U.S., Canada, the U.K., and the Netherlands, exposing banking information, social security numbers, and plaintext credentials.
The aftermath of the breach saw Blackbaud facing 23 proposed class-action lawsuits in the U.S. and Canada by November 2020. In March 2023, the company agreed to pay $3 million to settle SEC charges for failing to disclose the full impact of the ransomware attack. Additionally, in October, Blackbaud agreed to a $49.5 million settlement to resolve a multi-state investigation supported by attorneys general from 49 U.S. states.
FTC Chair Lina M. Khan emphasised the severity of Blackbaud's failure to accurately convey the breach's scope, stating that it kept victims in the dark and delayed necessary protective actions. The settlement not only addresses security measures but also requires Blackbaud to avoid misrepresenting its data security and retention protocols in the future.
This settlement serves as a reminder of the responsibility companies bear in securing and managing the data they handle. It underscores the importance of robust cybersecurity practices, regular monitoring, and prompt disclosure in the event of a breach. As we move through our online experiences, these incidents show how important it is for companies to protect data and be clear with their clients and stakeholders.
