FTC Finalizes Order Against Blackbaud Over 2020 Data Breach

FTC Finalizes Order Against Blackbaud Over 2020 Data Breach

By

The Federal Trade Commission has finalized a settlement order against Blackbaud Inc. over allegations that lax security practices at the cloud software company led to a massive data breach in 2020 exposing millions of people's personal information.

On Monday, the FTC announced the finalized order resolving charges that Blackbaud failed to employ appropriate safeguards to secure and protect the vast troves of sensitive consumer data it collects and maintains as part of its fundraising, financial management, and other services for nonprofits, companies, and other organizations.

According to the FTC's complaint first issued in February 2024, a hacker was able to exploit security vulnerabilities in Blackbaud's network systems in early 2020, gaining undetected access for three months. This allowed the hacker to remove data containing Social Security numbers, bank account information, and other personal details belonging to millions of Blackbaud's customers' donors, employees, and others.

The agency alleged that Blackbaud then waited nearly two months to notify its customers about the breach, while also misleading consumers about the extent of the sensitive data exposed in the incident.

Under the terms of the final order, Blackbaud must develop and implement a comprehensive data security program to address the vulnerabilities identified in the complaint. It is also required to delete consumer data it no longer needs, prohibited from misrepresenting its data security and retention practices, and obligated to notify the FTC about future breaches.

The FTC's 3-0-2 vote gave final approval to the settlement order after considering two public comments received. Commissioners Andrew Ferguson and Melissa Holyoak did not participate in the vote.

The order against Blackbaud represents the latest action by the FTC to police data security lapses that expose consumer information to cyber threats andhold companies accountable for privacy violations.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.