Estimated reading time: 1 minute, 27 seconds


 Blackbaud will be required to delete personal data it doesn’t need to retain as part of  a proposed settlement with the Federal Trade Commission. An FTC official also referred to “Blackbaud’s shoddy security and data retention” that let a hacker access records for millions of customers in 2020.

The Commission voted 3 to 0 to issue an administrative complaint and accept the proposed consent agreement, which is subject to a 30-day comment period before being made final. In an SEC filing, Blackbaud reported the FTC had not proposed a fine or any payment. Under the agreement, the company neither admitted nor denied allegations.

A breach was undetected for three months and then Blackbaud agreed to pay a ransom of about $250,000 to prevent the hacker from exposing stolen data without ever confirming the intruder then deleted that data.

It then waited almost two months to tell customers about the breach and then misled the breach even the Blackbaud knew as early as July 2020 the hacker had obtained data such as Social Security and bank account information.

In October, Blackbaud agreed to pay 49 states and the District of Columbia $49.5 million to settle litigation about the breach. Only California was not involved in the settlement. It has also paid $3 million to the SEC.

The FTC announcement said Blackbaud failed to monitor hacker attempts to breach its networks, segment data to prevent them from easily accessing its networks and databases, ensure unneeded data tis deleted, adequately implement multifactor authentication, and test, review and assess its security controls. It also allowed employees to use default, weak, or identical passwords.

One the hacker accessed one database, it was able to move across easily multiple Blackbaud-hosted environments. Data that was retained unnecessarily included that of former customers.

Read 557 times
Rate this item
(0 votes)

Visit other PMG Sites:

PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.