Settlement Requires Comprehensive Security Measures and Data Deletion to Protect Consumers
WASHINGTON, D.C. — The data services firm Blackbaud Inc., headquartered in South Carolina, is being compelled to delete personal data it no longer requires, following a settlement with the Federal Trade Commission (FTC). The requirement stems from charges alleging that Blackbaud’s inadequate security measures enabled a massive data breach, compromising millions of consumer’s personal information, including Social Security and bank account numbers.
Blackbaud provides data services and financial, fundraising, and administrative software services to a broad range of clients. These include companies, nonprofits, healthcare organizations, and more. According to the FTC, Blackbaud fell short in implementing the necessary protections for the large volumes of personal data it handles as part of its services.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, criticized the organization’s security and data retention practices. “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers. Companies have a responsibility to secure data they maintain and to delete data they no longer need,” Levine stated.
The FTC accuses Blackbaud of failing to meet its commitment to customers. While promising to establish appropriate safeguards for user information, Blackbaud allegedly allowed lax practices. These included neglecting to monitor hacker attempts, segment data, ensure data deletion, adequately implement multifactor authentication, and conduct security control tests. Their employees were reportedly also allowed to use default, weak, or identical passwords.
As a result of these oversights, a hacker successfully infiltrated a customer’s Blackbaud-hosted database in 2020, exploiting vulnerabilities and creating new administrator accounts to access sensitive consumer data. The breach went unnoticed for three months, with the hacker harvesting unencrypted data belonging to Blackbaud’s clients.
Blackbaud not only failed to encrypt sensitive data and establish firewalls but also retained customer information beyond its necessary use period. The firm detected the breach once the hacker demanded a ransom of approximately $250,000 in Bitcoin, threatening to reveal the stolen data. Blackbaud paid the ransom but did not confirm the hacker’s deletion of the compromised data.
Further controversy ensued when Blackbaud took nearly two months to notify its customers about the breach and allegedly downplayed its severity. Despite knowing about the breach in July 2020, it didn’t inform its customers about the full scope of the breach until two months later, potentially leaving consumers at risk of identity theft and other harms.
The FTC-enforced order will now require Blackbaud to delete unnecessary data and prohibit the company from misrepresenting its data security and retention policies. Blackbaud will also need to develop an extensive information security program and establish a data retention schedule that clarifies why and when personal data will be deleted. Should Blackbaud suffer from further data breaches, the FTC must be notified.
The agreement with Blackbaud was unanimously accepted by the Commission with the administrative complaint issued on a 3-0 vote. FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statement.
The implications of this settlement reach beyond Blackbaud. It sends a clear signal to other corporations about the fundamental importance of robust data protection practices and transparency with customers. The responsibility to ensure data security and privacy is reaffirmed, setting a precedent for companies to prioritize these aspects or face serious repercussions.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and Microsoft Start.