Blackbaud has reached a settlement agreement with the Federal Trade Commission (FTC) following charges of inadequate security measures and irresponsible data retention practices that led to the Blackbaud Data Breach in May 2020, impacting a large number of individuals.
Blackbaud is a publicly-traded company listed on NASDAQ that operates globally. They specialize in providing cloud-based donor data management software to nonprofit organizations, including charities, educational institutions, and healthcare agencies.
Blackbaud, be required to delete personal data it doesn’t need as part of a Federal Trade Commission settlement holding the company responsible for poor data practices that allowed a hacker to exfiltrate sensitive information belonging to millions of customers, the agency announced Thursday.
The Federal Trade Commission (FTC) found that Blackbaud’s weak security practices were in direct contradiction to the promises made to customers in its privacy policy.
These practices allowed the hacker involved in the February 2020 breach to gain access to files containing unencrypted personal data of millions of consumers.
The compromised data included sensitive information such as Social Security numbers, financial and medical details, employment information, account credentials, and other highly personal data.
FTC Says Inadequate Encryption Practices Led to Blackbaud Data Breach
According to the FTC, the Blackbaud Data Breach was exacerbated by Blackbaud’s poor encryption practices. For instance, the company allowed customers to input Social Security numbers and bank account information into “unencrypted fields,” which were not intended for storing such sensitive information.
Additionally, Blackbaud failed to encrypt attachments containing personal data that customers uploaded. Furthermore, the agency noted that even database backup files, including records of past customers, were left unencrypted by the company.
The FTC revealed that Blackbaud had retained consumer data for an extended period, even beyond the necessary timeframe. This included data from customers who had switched to unaffected products, as well as potential customers. Despite earning approximately $1.1 billion in 2022, Blackbaud only offered limited credit monitoring services to a select number of affected consumers following the Blackbaud Data Breach.
Blackbaud Response and Investigation was Inadequate and the Company Mislead Consumers
It is worth noting that the company’s website does not list a spokesperson, and there was no immediate response from various divisions, including the sales office, to emails sent. Furthermore, Blackbaud waited almost two months after discovering the breach to inform customers, and the FTC found their response and investigation to be severely inadequate. The FTC criticized the company for downplaying the seriousness of the breach and deceiving customers in the process.
According to the FTC, Blackbaud provided misleading information to its customers regarding the extent of the data breach. Specifically, they informed customers that the hacker did not gain access to sensitive information such as credit card details, bank account information, or Social Security numbers.
“No action is required on your end because no personal information about your constituents was accessed,”
FTC complaint quoted from the breach notification.
Two weeks later, Blackbaud learned that such information had been breached, but did not tell customers about the scope of the hack until October 2020.
“Blackbaud’s deceptive statements, combined with the months’ long delay in providing accurate notice about the breach, led many customers to believe that notification to their consumers was unnecessary,”
“Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft.”
FTC complaint said.
The FTC’s proposed order mandates that Blackbaud not only erase data it no longer needs to “provide products or services to its customers,” but also prevents the company from lying about its data security and data retention policies.
According to the agency, the proposed order also forces Blackbaud to create a “comprehensive information security program” and establish a data retention policy detailing when it will delete data and why it keeps it.
The FTC’s proposed order mandates that Blackbaud not only erase data it no longer needs to “provide products or services to its customers,” but also prevents the company from lying about its data security and data retention policies.
According to the agency, the proposed order also forces Blackbaud to create a “comprehensive information security program” and establish a data retention policy detailing when it will delete data and why it keeps it.
