FTC Orders Blackbaud to Delete Unnecessary User Data Stored on its Systems

The Federal Trade Commission (FTC) has finalized a settlement order with Blackbaud Inc., addressing the firm's inadequate security measures that resulted in a significant data breach.

The breach exposed the sensitive information of millions of consumers, including Social Security and bank account numbers, and the company delayed notifying its customers about the extent of the breach.

The FTC's complaint, initially filed in February 2024, accused Blackbaud of failing to implement adequate safeguards to protect the vast amounts of personal data it managed. Blackbaud, a South Carolina-based company, provides data services, financial, fundraising, and administrative software to over 45,000 organizations, including nonprofits and educational institutions.

The breach occurred in early 2020 when a hacker exploited vulnerabilities in Blackbaud's network, accessing and stealing unencrypted sensitive data over a period of three months before detection.

The compromised data included names, Social Security numbers, bank account details, medical information, and more. Despite discovering the breach in May 2020, Blackbaud waited nearly two months to inform its customers and then misrepresented the scope of the data theft.

FTC findings and provisions

The FTC's detailed complaint outlined Blackbaud's significant security lapses, including:

• Weak password policies and inadequate multi-factor authentication.
• Insufficient monitoring and logging of data transfers.
• Poorly enforced data retention policies, leading to the retention of data longer than necessary.
• Misleading statements about the security breach, which led to delayed and inaccurate notifications to affected customers.

Under the terms of the FTC order, Blackbaud must:

• Delete data not required for its services and maintain a data retention schedule to prevent indefinite data storage.
• Stop making false claims about its data security and retention practices.
• Develop and maintain a comprehensive information security program addressing the FTC's concerns, including regular risk assessments, multi-factor authentication, and encryption of sensitive data.
• Inform the FTC about any future breaches that must be reported to other agencies.

The order received final approval with a 3-0-2 vote from the Commission.

FTC noted once more that organizations handling sensitive consumer data should implement strong password policies and multi-factor authentication, regularly monitor and log data access and transfers, adhere to strict data retention schedules, delete unnecessary data promptly, and provide timely and accurate breach notifications to affected parties.