Connect with us

Hi, what are you looking for?



FTC Orders Blackbaud to Address Poor Security Practices

FTC and fundraising software company Blackbaud reach settlement over poor security practices that led to a major data breach.

The FTC has reached a settlement with fundraising software provider Blackbaud over poor security practices that led to a significant data breach.

Hackers accessed Blackbaud systems in early 2020 and obtained vast amounts of sensitive customer data. The company failed to detect the breach for three months, then waited nearly two months to disclose the incident, and even then it initially downplayed its extent.

Blackbaud agreed to pay a 24 bitcoin ($250,000) ransom to the cybercriminals, but did not take steps to ensure that they would actually delete the stolen data, the FTC said.

In its complaint, the government watchdog said Blackbaud had poor security practices in several areas, including failure to encrypt sensitive customer data, to properly monitor and segment its network, to implement multifactor authentication and prevent the use of weak passwords, and to delete data that was no longer needed.

As part of the settlement with the FTC, Blackbaud will have to develop a comprehensive information security program, and delete data that is no longer needed to provide its products and services.

This comes just months after Blackbaud agreed to pay $49.5 million to settle data breach claims brought by the attorneys general of 49 states and Washington, DC.

“This is one more example that the FTC is artfully and progressively policing US cyber space for poor data protection practices, which may fall under Article 5(a) of the FTC Act (‘unfair and/or deceptive acts or practices’),” Ilia Kolochenko, CEO and chief architect at ImmuniWeb, told SecurityWeek

“The ‘Mandated Information Security Program’ section of the FTC Order to Blackbaud is very detailed and covers virtually all technical aspects of a comprehensive cybersecurity program. Non-compliance with the Order can be punished with a hefty monetary fine, so cybersecurity will likely become a high priority for Blackbaud during the next years.” added Kolochenko, who is also an adjunct professor of cybersecurity and cyber law at Capital Technology University.

Advertisement. Scroll to continue reading.

Related: New York Sues Citibank Over Poor Data Security

Related: Medical Company Fined $450,000 by New York AG Over Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...