Blackbaud, a software provider based in the Lowcountry, has been ordered by the Federal Trade Commission (FTC) to revamp its security practices after a significant data breach exposed the personal information of millions of consumers. The breach, which occurred in early 2020, went undetected for three months and compromised sensitive data from 13,000 customers, including contact details, Social Security numbers, and protected health information.
The FTC’s mandates require Blackbaud to delete unnecessary data and accurately represent its data security policies. The company must also notify the FTC of any future data breaches, along with reporting to local, state, or federal agencies.
The FTC’s investigation revealed that Blackbaud had misled consumers by falsely claiming to have robust data protection measures in place. In reality, the company did not monitor hacking attempts effectively nor organize data to prevent unauthorized access. Consequently, hackers managed to breach a Blackbaud database and extract unencrypted sensitive consumer data.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, criticized Blackbaud’s inadequate security measures, stating, “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers. Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
The FTC also reported that Blackbaud paid a ransom of 24 Bitcoin, valued at approximately $250,000, to prevent the hackers from exposing the stolen data. However, the company did not verify the deletion of the data post-payment.
In addition to the FTC’s directives, Blackbaud has faced other repercussions. In October, South Carolina Attorney General Alan Wilson announced a nearly $50 million settlement with Blackbaud for violating consumer protection laws, breach notification laws, and HIPAA due to inadequate data security practices. Wilson also highlighted that Blackbaud would be enhancing its data security policies.
