Business ProfileforBlackbaud, Inc.
Additional business information
On February 01, 2024, BBB was made aware of an action filed the Federal Trade Commission against BLACKBAUD, INC., a corporation. The following is the Press Release issued by the Federal Trade Commission on February 01, 2024:
FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach
FTC says company’s poor security allowed hacker to steal sensitive data of millions of consumers, go undetected for months
South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.
In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.
“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”
The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.
As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers.
In addition to failing to encrypt sensitive data and implement adequate firewalls to help protect it, Blackbaud held onto data far longer than was necessary for the purpose for which it was maintained, including information belonging to former customers, according to the complaint.
Once the company detected the breach, Blackbaud agreed to pay a ransom of 24 Bitcoin, worth about $250,000, after the hacker threatened to expose the stolen data. The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint.
At the same time, the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, telling customers they did not need to take any action in response to the breach, according to the complaint. Even though it knew as early as the end of July 2020 that the hacker had obtained sensitive data including Social Security and bank account information, the company waited another two months before it told its customers about the full scope of the breach. The FTC says this delay harmed consumers who were unable to take steps to protect themselves from potential identity theft and other potential harms resulting from the breach.
In addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers, the proposed order will prohibit the company from misrepresenting its data security and data retention policies. The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint. In addition, the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information. The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.
The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement with Blackbaud. FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.
The lead staff attorneys on this matter are Cathlin Tully and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
Media Contact
Juliana Gruenwald Henderson
Office of Public Affairs
202-326-2924
At-a-glance
Related Categories
Business Details
This is a multi-location business.
- Headquarters
- 65 Fairchild St, Daniel Island, SC 29492-7505
- BBB File Opened:
- 9/28/2009
- Years in Business:
- 43
- Business Started:
- 7/15/1981
- Business Started Locally:
- 7/15/2004
- Date of New Ownership:
- 7/15/2004
- Type of Entity:
- Corporation
- Number of Employees:
- 2001
- Alternate Business Name
- YourCause
- Smart Tuition
- Business Management
- Ms. Anne Caggiano
- Contact Information
Principal
- Ms. Anne Caggiano
Customer Contact
- Mrs. Kim Perry
- Ms. Anne Caggiano
- Mr. Jim Lozano, Director
Customer Complaints
27 Customer Complaints
Need to file a complaint? BBB is here to help. We'll guide you through the process. How BBB Processes Complaints and Reviews
File a ComplaintMost Recent Customer Complaint
06/26/2024
- Complaint Type:
- Order Issues
- Status:
- Unanswered
Customer Reviews
13 Customer Reviews
What do you think? Share your review.
Most Recent Customer Review
SLG J
1 star07/02/2024
BBB Business Profiles may not be reproduced for sales or promotional purposes.
BBB Business Profiles are provided solely to assist you in exercising your own best judgment. BBB asks third parties who publish complaints, reviews and/or responses on this website to affirm that the information provided is accurate. However, BBB does not verify the accuracy of information provided by third parties, and does not guarantee the accuracy of any information in Business Profiles.
When considering complaint information, please take into account the company's size and volume of transactions, and understand that the nature of complaints and a firm's responses to them are often more important than the number of complaints.
BBB Business Profiles generally cover a three-year reporting period. BBB Business Profiles are subject to change at any time. If you choose to do business with this business, please let the business know that you contacted BBB for a BBB Business Profile.
As a matter of policy, BBB does not endorse any product, service or business. Businesses are under no obligation to seek BBB accreditation, and some businesses are not accredited because they have not sought BBB accreditation.