Additional Information for Blackbaud, Inc.

This is a multi-location business. Need to find a different location?

close

Find a Location

Blackbaud, Inc. has 4 locations, listed below.

*This company may be headquartered in or have additional locations in another country. Please click on the country abbreviation in the search box below to change to a different country location.

BBB accredited

Near

Country

USUnited States

Please enter a valid location.

Filter

• 

  Blackbaud, Inc.

  65 Fairchild St Daniel Island, SC 29492-7505

• 

  YourCause

  null Plano, TX 75093

• 

  YourCause

  2508 Highlander Way Carrollton, TX 75006

• 

  Blackbaud, Inc.

  115 2nd Ave Waltham, MA 02451-1107

Headquarters

65 Fairchild St, Daniel Island, SC 29492-7505

BBB File Opened:

9/28/2009

Years in Business:

43

Business Started:

7/15/1981

Business Started Locally:

7/15/2004

Date of New Ownership:

7/15/2004

Type of Entity:

Corporation

Number of Employees:

2001

Alternate Business Name

• YourCause
• Smart Tuition

Business Management

• Ms. Anne Caggiano

Contact Information

Principal

• Ms. Anne Caggiano

Customer Contact

• Mrs. Kim Perry
• Ms. Anne Caggiano
• Mr. Jim Lozano, Director

Additional Contact Information

Fax Numbers

• (843) 216-6100
  Primary Fax

Website Addresses

• Website 1
• Website 2

Additional Business Information

Pending Government Action

Government Action: BBB reports on known government actions involving business’ marketplace conduct:

United States of America vs. BLACKBAUD, INC., a corporation.

On February 01, 2024, BBB was made aware of an action filed the Federal Trade Commission against BLACKBAUD, INC., a corporation.  The following is the Press Release issued by the Federal Trade Commission on February 01, 2024:

 

FTC Order Will Require Blackbaud to Delete Unnecessary Data, Boost Safeguards to Settle Charges its Lax Security Practices Led to Data Breach

FTC says company’s poor security allowed hacker to steal sensitive data of millions of consumers, go undetected for months

 

South Carolina-based Blackbaud Inc. will be required to delete personal data that it doesn’t need to retain as part of a settlement with the Federal Trade Commission over charges that the company’s lax security allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising, and administrative software services to companies, nonprofits, healthcare organizations, and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

“Blackbaud’s shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

The FTC says that, despite promising customers that it takes “appropriate physical, electronic and procedural safeguards to protect your personal information,” Blackbaud deceived users by failing to put in place such safeguards. For example, the company failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls. In addition, the company allowed employees to use default, weak, or identical passwords for their accounts, according to the complaint.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers.

In addition to failing to encrypt sensitive data and implement adequate firewalls to help protect it, Blackbaud held onto data far longer than was necessary for the purpose for which it was maintained, including information belonging to former customers, according to the complaint.

Once the company detected the breach, Blackbaud agreed to pay a ransom of 24 Bitcoin, worth about $250,000, after the hacker threatened to expose the stolen data. The company never verified, however, that the hacker actually deleted the stolen data, according to the complaint.

At the same time, the company waited nearly two months to notify its customers about the breach and then misled consumers about the extent of the data that was stolen, telling customers they did not need to take any action in response to the breach, according to the complaint. Even though it knew as early as the end of July 2020 that the hacker had obtained sensitive data including Social Security and bank account information, the company waited another two months before it told its customers about the full scope of the breach. The FTC says this delay harmed consumers who were unable to take steps to protect themselves from potential identity theft and other potential harms resulting from the breach.

In addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers, the proposed order will prohibit the company from misrepresenting its data security and data retention policies. The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint. In addition, the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information. The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.

The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement with Blackbaud. FTC Chair Lina M. Khan and Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a joint statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744. 

The lead staff attorneys on this matter are Cathlin Tully and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.


Media Contact
Juliana Gruenwald Henderson
Office of Public Affairs
202-326-2924

Click here for details

Business Categories

Computer Software, Billing Services