Skip to main content
close search
site logo
Dive Brief

Blackbaud settles FTC data security probe into 2020 ransomware attack

The company is required to delete unnecessary data and inform the agency of future breaches.

Published Feb. 2, 2024
David Jones's headshot
Reporter
M&A, merger due diligence
NicoElNino via Getty Images

First published on

Cybersecurity Dive
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Blackbaud, a company whose products include ed tech, needs to delete any unnecessarily stored data under a proposed settlement with the Federal Trade Commission reached in connection with a 2020 ransomware attack. 
  • The software firm, which previously reached a $3 million settlement with the Securities and Exchange Commission over the same incident, will be required to develop an information security program that addresses key issues raised by the FTC action and inform the agency of any future data breach. 
  • “Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of customers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection said in a statement. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

Dive Insight:

Blackbaud was hit by a ransomware attack in 2020 that impacted about 13,000 customers. 

The South Carolina-based company paid the hackers a ransom worth $235,000 in Bitcoin after the threat actor promised to delete personal customer data, according to the FTC complaint. The company later misled customers about the scope of the data exfiltration, according to the FTC and SEC. 

Customers later suffered fraudulent abuse of their personal data, according to the FTC complaint. The hackers stole bank account data and Social Security numbers, but the company provided misleading information about the risk in the initial breach notifications. 

Blackbaud President and CEO Mike Gianoni said protecting the privacy of customers and their partners will “always be of paramount importance” and that the company continues to strengthen its cybersecurity and compliance programs. 

The company was not fined nor did it admit to or deny the allegations by the FTC. 

Blackbaud paid $3 million in March 2023 to settle the SEC probe into the attack, because the company made misleading statements in a 10-Q filing and later tried to clean it up in subsequent filings. 

The company hired a new CISO in 2022 and later that year added United Airlines CISO Deneen DeFiore to its board of directors. 

The requirement to disclose future breaches to the FTC is not a trivial issue. A prior FTC investigation of Uber led to the federal investigation and conviction of former Uber CSO Joe Sullivan. Sullivan and Uber concealed a ransomware attack from the FTC after the agency was investigating the company’s data security practices in a previous case

Filed Under: Technology

Editors' picks

Company Announcements

View all | Post a press release
TinkRworks and 1st Maker Space Partner to Help Schools Bring STEAM to Life with Project-based …
From TinkRworks
November 12, 2024
Education Nonprofit Brings International Economics Olympiad to United States
From Certell, Inc.
November 12, 2024
Ulster BOCES Opens Application for Conference “Deep Dive” Session Facilitators
From Ulster BOCES
October 29, 2024
Survey Reveals Cybersecurity and Data Privacy are Top K12 IT Concerns
From StatusGator
November 01, 2024
Editors' picks
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell