FTC settles with Blackbaud over poor data practices leading to massive hack
Blackbaud, a data and software services company, will be required to delete personal data it doesn’t need as part of a Federal Trade Commission settlement holding the company responsible for poor data practices that allowed a hacker to exfiltrate sensitive information belonging to millions of customers, the agency announced Thursday.
The South Carolina-based company’s weak security practices contradicted promises it made to customers in its privacy policy, allowing the hacker behind the February 2020 breach to access files containing unencrypted personal data for millions of consumers, including Social Security numbers, financial and medical information, employment information and account credentials along with a raft of other highly personal data, the FTC said.
Blackbaud’s customers — some 45,000 companies, schools, nonprofits, health care organizations, and individual consumers — use its financial, fundraising, and administrative software services, according to the FTC complaint.
Poor encryption practices made the breach far worse than it otherwise would have been, the FTC said. For example, the company let customers place Social Security numbers and bank account information in “unencrypted fields” which the FTC said were not designed to store the information. Blackbaud customers also could upload attachments containing personal data, which Blackbaud then failed to encrypt. Database backup files storing records — even for past customers — also were not encrypted, the agency said.
The FTC said Blackbaud retained consumer data for years beyond when it was needed, including for “customers who had switched to products not affected by the breach, and even potential customers.”
Blackbaud earned about $1.1 billion in 2022 but only provided a limited number of affected consumers with credit monitoring services following the breach.
The company has no spokesman listed on its website and no operator at its headquarters. Emails sent to several divisions of the company such as its sales office were not immediately responded to.
The company waited for nearly two months after it discovered the breach to tell customers, and then deceived them about its seriousness, the FTC said, calling the company’s investigation “exceedingly inadequate.”
Specifically, the FTC said, Blackbaud told customers the hacker did not gain access to credit card information, bank account information or Social Security numbers. . “No action is required on your end because no personal information about your constituents was accessed,” the FTC complaint quoted from the breach notification.
Two weeks later, Blackbaud learned that such information had been breached, but did not tell customers about the scope of the hack until October 2020.
“Blackbaud’s deceptive statements, combined with the months’ long delay in providing accurate notice about the breach, led many customers to believe that notification to their consumers was unnecessary,” the FTC complaint said. “Due to this delay in notice, consumers suffered additional harm because they had no way to know that they needed to take any mitigating steps to protect themselves from identity theft.”
The FTC’s proposed order mandates that Blackbaud not only erase data it no longer needs to “provide products or services to its customers,” but also prevents the company from lying about its data security and data retention policies.
According to the agency, the proposed order also forces Blackbaud to create a “comprehensive information security program” and establish a data retention policy detailing when it will delete data and why it keeps it.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.