Dive Brief:
- Blackbaud needs to delete any unnecessarily stored data under a proposed settlement with the Federal Trade Commission reached in connection with a 2020 ransomware attack.
- The software firm, which previously reached a $3 million settlement with the Securities and Exchange Commission over the same incident, will be required to develop an information security program that addresses key issues raised by the FTC action and inform the agency of any future data breach.
- “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a statement. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
Dive Insight:
Blackbaud, which provides software to schools, hospitals and nonprofits, was hit by a ransomware attack in 2020 that impacted about 13,000 customers.
The South Carolina-based company paid the hackers a ransom worth $235,000 in Bitcoin after the threat actor promised to delete personal customer data, according to the FTC complaint. The company later misled customers about the scope of the data exfiltration, according to the FTC and SEC.
Customers later suffered fraudulent abuse of their personal data, according to the FTC complaint. The hackers stole bank account data and Social Security numbers, but the company provided misleading information about the risk in the initial breach notifications.
Blackbaud President and CEO Mike Gianoni said protecting the privacy of customers and their partners will “always be of paramount importance” and that the company continues to strengthen its cybersecurity and compliance programs.
The company was not fined nor did it admit to or deny the allegations by the FTC.
Blackbaud paid $3 million in March 2023 to settle the SEC probe into the attack, because the company made misleading statements in a 10-Q filing and later tried to clean it up in subsequent filings.
The company hired a new CISO in 2022 and later that year added United Airlines CISO Deneen DeFiore to its board of directors.
The requirement to disclose future breaches to the FTC is not a trivial issue. A prior FTC investigation of Uber led to the federal investigation and conviction of former Uber CSO Joe Sullivan. Sullivan and Uber concealed a ransomware attack from the FTC after the agency was investigating the company’s data security practices in a previous case