BlackBaud Admits Failure To Disclose, Pays $3 Million Penalty
February 12, 2024
BlackBaud has settled Federal Trade Commission charges of poor security and reckless data retention practices. The charges stemmed from a 2020 data breach and ransomware attack that affected millions of people, according to an article by The Register.
Blackbaud is a NASDAQ-listed company with operations in many countries. The FTC’s complaint alleged that the company “failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls.”
It also allowed employees to use default, weak, or identical passwords for their accounts. Four months after the attack it submitted an 8-K filing that falsely called the risk associated with the stolen information “hypothetical.”
The ransomware gang that stole the personal data was paid 24 Bitcoin worth about $250,000 at the time, but according to the SEC, Blackbaud never verified that the hackers deleted the stolen data.
The settlement includes an FTC order for the company to improve its security, and ensure that it deletes unneeded customer data from all its systems. It is barred from describing its data security and data retention protocols inaccurately.
It is mandated to promptly notify the FTC of any data breach that requires reporting to relevant local, state, or federal agencies.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers. Companies have a responsibility to secure data they maintain and to delete data they no longer need,” said Samuel Levine, Director of FTC’s Bureau of Consumer Protection.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.