The Federal Trade Commission (FTC) has finalized an order against Blackbaud Inc., settling allegations that the company's inadequate security measures led to a data breach. The FTC claims that the lax security allowed a hacker to infiltrate the company's network and access personal data of millions of consumers, including Social Security and bank account numbers.
In a complaint first announced in February 2024, the FTC alleged that Blackbaud, a South Carolina firm providing data services and financial, fundraising, and administrative software services to various entities, failed to implement sufficient safeguards for the extensive personal data it collects. Consequently, a hacker exploited weaknesses in Blackbaud’s networks in early 2020. This went undetected for three months, during which time the hacker removed large amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. The company waited nearly two months before notifying its customers about the breach and then allegedly misled consumers about the extent of the stolen data.
Under the order, Blackbaud is required to delete any data it no longer needs for its products or services. It is also prohibited from misrepresenting its data security and retention policies. The order further mandates that Blackbaud develop a comprehensive information security program addressing issues raised by the FTC’s complaint and establish a data retention schedule detailing its data deletion practices. Moreover, should Blackbaud experience another data breach requiring reporting to any local, state, or federal agency, it must notify the FTC.
Following two comments received on this matter, the Commission voted 3-0-2 to give final approval to the settlement. Commissioner Andrew Ferguson did not participate in this vote while Commissioner Melissa Holyoak was recused.
The Federal Trade Commission continues its work promoting competition and protecting and educating consumers. It advises consumers never to respond to demands for money or threats from unknown sources promising prizes or asking for money transfers. More information on consumer topics can be found at consumer.ftc.gov, or fraud, scams, and bad business practices can be reported at ReportFraud.ftc.gov. The FTC also encourages the public to follow its social media channels, read consumer alerts and the business blog, and sign up to receive the latest FTC news and alerts.
