The settlement between the Federal Trade Commission (FTC) and Blackbaud regarding the company’s security practices has been finalized.
Blackbaud, a South Carolina-based provider of financial, fundraising, and administrative software for non-profits, educational institutions, and hospitals, suffered a ransomware attack in February 2020. The company assists institutions across the globe and claims that 30 of the top 32 largest nonprofit hospitals utilize their services.
The attack began in February and ended in May, and while Blackbaud’s security system and encryption prevented the full system from being accessed, hackers still managed to steal a backup file containing personal information.
Hacked information included names, addresses, dates of birth, contact information, Social Security numbers, personal health information, financial information, gender, spouse’s name, demographic information, and more.
Ultimately, Blackbaud agreed to pay the ransom, costing them approximately $235,000, and received confirmation that the copy of the stolen information had been removed.
Following the attack, the FTC began an investigation for potential violations of the FTC Act. The commission believed the attack was potentially caused by “Blackbaud’s shoddy security and data retention practices.”
In a statement by Lesley Fair on behalf of the FTC, Fair claimed that Blackbaud failed to implement some of the most basic cybersecurity practices.
The FTC determined that the attack went undetected for three months until the actor was able to log in on a backup server. At this point, the attacker had already stolen tens of thousands of Blackbaud customer data.
According to the FTC’s complaint, Blackbaud had insufficient security practices, including allowing customers to store bank account and Social Security numbers in unencrypted fields and allowing other personal information to remain unencrypted. The FTC also found that Blackbaud did not follow its own data retention policies, instead keeping past customer data far longer than needed.
Finally, the FTC alleged that Blackbaud dramatically misrepresented both the scope and severity of the incident.
Last week, the FTC and Blackbaud finally reached a settlement–approximately four years after the breach.
The settlement does not include a financial penalty. However, Blackbaud has agreed to a $3 million settlement with the Securities and Exchange Commission (SEC) for providing misleading information about the breach and made a settlement of $49.5 million with 50 state attorney generals regarding HIPAA violations.
As part of the FTC settlement, Blackbaud must delete data that it no longer needs, develop a comprehensive information security program, and notify the FTC of any future data breaches.
The incident reminds us of how devastating data breaches can be, especially for large companies that handle massive amounts of data. Blackbaud faced financial repercussions from multiple governing agencies in addition to paying the initial ransom.
It’s possible for large organizations to recover financially, but for smaller companies, the impact can be too difficult to overcome.
As always, preventing a data breach before it happens is the best way to ensure a company won’t face years of legal repercussions.
Read more: HIPAA Compliant Email: The Definitive Guide