Type to search

Culture Philanthropy

Blackbaud in Consent Agreement With FTC

Technology firm Blackbaud will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission (FTC). The settlement stems from charges that the company’s security allowed a hacker to breach its network during 2020 and access the personal data of millions of donors, including Social Security and bank account numbers.

The commissioners voted 3-0 to issue an administrative complaint and to accept a proposed consent agreement with Blackbaud. FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statement on February 1.

“We are pleased to resolve this matter with the FTC,” said Mike Gianoni, president and CEO of Blackbaud, via a statement. “Protecting our customers’ and their constituents’ privacy will always be of paramount importance to Blackbaud, and we continue to strengthen our cybersecurity and compliance programs with the goal of improving our resilience in an ever-changing threat landscape.”

Blackbaud earlier this year settled with 49 states and the District of Columbia, paying $49.5 million in a settlement of a joint multistate investigation of the breach. Blackbaud also settled with the Securities and Exchange Commission (SEC), agreeing to pay $3 million to the SEC to settle charges for making allegedly misleading disclosures about the 2020 ransomware attack that impacted more than 13,000 customers.

In its complaint, the FTC alleged that Blackbaud, which provides data services and financial, fundraising and administrative software services to companies, nonprofits, healthcare organizations and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

Blackbaud agreed to pay a ransom of 24 bitcoins, worth about $250,000, after the hacker threatened to expose the stolen data. The company never verified, however, that the hacker actually deleted the stolen data, according to the FTC complaint.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection (BCP), said via a statement. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

Access to MinistryWatch content is free.  However, we hope you will support our work with your prayers and financial gifts.  To make a donation, click here.

According to the FTC statement, Blackbaud failed to put in place promised safeguards. The examples the FTC gave is that the company allegedly failed to monitor attempts by hackers to breach its networks, did not segment data to prevent hackers from easily accessing its networks and databases, failed to ensure data that is no longer needed is deleted, and did not adequately implement multifactor authentication or test, review and assess its security controls. In addition, the company allowed employees to use default, weak or identical passwords for their accounts, according to the FTC complaint.

Blackbaud and the BCP executed a 17-page Agreement Containing Consent Order. It includes: “(1) statements by Respondents that it neither admits nor denies any of the allegations in the draft Complaint, except as specifically stated in this Decision and Order, and that only for purposes of this action, it admits the facts necessary to establish jurisdiction; and (2) waivers and other provisions as required by the Commission’s Rules.”

When the FTC issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The incident was first reported by The NonProfit Times in July 2020 and updated with more information shortly thereafter.

Blackbaud is a public company listed on NASDAQ. Its stock price closed at $82.27 per share, off its 52-week high of $88.56 and nearly 30 points more than its 52-week low of $53.39. The firm has a market capitalization of $4.43 billion.

Blackbaud’s board of directors last month approved the buyback of up to $500 million of company stock, doubling their previously approved $250 million repurchase plan announced late last year.

The repurchase program allows the company to buy back its common stock on the open market or through private transactions. Following the initially approved repurchase plan, the company reacquired just less than $41.1 million of its shares in December and another $600,000 following the latest buyback authorization last month.

Approximately $499.4 million in funds — about 11% of Blackbaud’s total market capitalization of $4.43 billion — remained available for purchase under the stock buyback program as of late last month.

This article was originally published by The NonProfit Times.

Paul Clolery

Paul Clolery is vice president and editorial director of NPT Publishing Group and The NonProfit Times, the leading business publication for the charitable, tax-exempt sector.