FTC Finalizes Settlement with Blackbaud and Orders Deletion of Personal Data
The Federal Trade Commission (FTC) has finalized a settlement with Blackbaud that resolves allegations that the South Carolina firm’s poor security practices allowed a hacker to breach its network and access the personal information of millions of U.S. consumers.
Blackbaud is a provider of financial, fundraising, and admin software and its client list includes many non-profits and educational institutions. In February 2020, a hacker exploited security weaknesses and gained access to Blackbaud’s networks. The hacker maintained access to those networks for 3 months before the intrusion was detected in May 2020, during which time the hacker moved laterally and exfiltrated sensitive consumer data. More than 13,000 of its customers were affected and the data of an estimated 1.5 billion donors, patients, and other individuals was stolen. The hacker, a member of a ransomware gang, issued a demand for payment to prevent the publication of the stolen data. Blackbaud paid a 24-bitcoin ransom to prevent the release of the data.
The FTC investigated Blackbaud and alleged violations of the FTC Act, maintaining that the attack was made possible due to “Blackbaud’s shoddy security and data retention practices.” The FTC alleged that Blackbaud failed to monitor repeated attempts to breach its network, failed to segment its network to limit lateral movement in the event of a breach, did not encrypt data, failed to patch known vulnerabilities, allowed employees to use default/weak passwords, did not implement multifactor authentication, did not test and review its security controls, and retained data that the company no longer needed. When the ransom was paid, Blackbaud also waited 2 months to issue notifications to consumers and misled them about the extent of the data that was stolen.
Under the terms of the FTC’s finalized settlement, Blackbaud is required to implement a data retention schedule and delete all data that the company no longer requires to provide its products and services. Blackbaud is prohibited from misrepresenting its security practices and data retention policies and must develop, implement, and maintain a comprehensive information security program that addresses all the security failures detailed in the FTC complaint. In the event of a further data breach that the company is required to report to a local, state, or federal agency, Blackbaud must also notify the FTC.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC settlement does not include a financial penalty; however, Blackbaud agreed to a $3 million settlement with the Securities and Exchange Commission (SEC) for making misleading disclosures about the data breach, and the company agreed to a $49.5 million settlement with 50 state attorneys general that resolved allegations the company violated state laws and the Health Insurance Portability and Accountability Act (HIPAA). More than a dozen class action lawsuits were filed in response to the data breach which were consolidated into a single lawsuit. Last week, a federal judge denied class certification as the plaintiffs failed to meet their burden of proof as to ascertainability.
