Cloud provider Blackbaud has reached a settlement with the Federal Trade Commission (FTC) over charges of inadequate security and reckless data retention practices that led to a ransomware attack and a significant data breach in May 2020. The FTC alleges that Blackbaud failed to monitor hacking attempts, segment data, implement multifactor authentication, and enforce secure password practices among employees. As part of the settlement, Blackbaud is required to improve its security measures, delete unnecessary customer data, and establish a data retention schedule. The company is also barred from inaccurately portraying its data security and retention protocols.
The FTC’s complaint stems from a ransomware attack where Blackbaud paid 24 Bitcoin (worth around $250,000 at the time) to the attackers threatening to leak stolen data online. Despite paying the ransom, Blackbaud did not verify the deletion of the stolen data. The breach, disclosed in July 2020, impacted over 13,000 Blackbaud business customers and their clients, including sensitive information like banking details and social security numbers. Blackbaud also faced legal consequences, settling with the SEC for $3 million in March 2023 and agreeing to pay $49.5 million in a multi-state investigation settlement in October.
The settlement emphasizes the responsibility of companies to secure and manage data appropriately, with the FTC ordering Blackbaud to create an information security program addressing the outlined concerns. The cloud provider is mandated to promptly notify the FTC of any future data breaches requiring reporting to relevant authorities. The joint statement from FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya criticizes Blackbaud’s failure to accurately convey the breach’s severity, leaving victims unaware and delaying protective actions.
Reference:
