The Federal Trade Commission has finalized an order against Blackbaud Inc. settling allegations that its lax security practices allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.
In a complaint first announced in February 2024, the FTC charged that the South Carolina firm, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it collects. As a result of these failures, a hacker in early 2020 exploited weaknesses in Blackbaud’s networks, which went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers. The company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, according to the complaint.
Under the order, Blackbaud is required to delete data that it no longer needs to provide its products or services and is prohibited from misrepresenting its data security and data retention policies. The order also requires Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint and put in place a data retention schedule outlining its data deletion practices. It also requires Blackbaud to notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.
After receiving two comments, the Commission voted 3-0-2 to give final approval to the settlement. Commissioner Andrew Ferguson did not participate and Commissioner Melissa Holyoak was recused.