The company must delete unnecessary data and inform the agency of future breaches.
Blackbaud, which provides software to schools, hospitals, and nonprofits, was hit by a ransomware attack in 2020 that impacted about 13,000 customers.
According to the FTC complaint, the South Carolina-based company paid the hackers a ransom worth $235,000 in Bitcoin after the threat actor promised to delete personal customer data. According to the FTC and SEC, the company later misled customers about the scope of the data exfiltration.
According to the FTC complaint, customers later suffered fraudulent abuse of their data. The hackers stole bank account data and Social Security numbers, but the company provided misleading information about the risk in the initial breach notifications.
Blackbaud President and CEO Mike Gianoni said protecting the privacy of customers and their partners will “always be of paramount importance” and that the company continues to strengthen its cybersecurity and compliance programs.
The company was not fined, nor did it admit to or deny the allegations by the FTC.
Blackbaud paid $3 million in March 2023 to settle the SEC probe into the attack because the company made misleading statements in a 10-Q filing and later tried to clean it up in subsequent filings.
The company hired a new CISO in 2022 and added United Airlines CISO Deneen DeFiore to its board of directors later that year.
The requirement to disclose future breaches to the FTC is not trivial. A prior FTC investigation of Uber led to the federal investigation and conviction of former Uber CSO Joe Sullivan. Sullivan and Uber concealed a ransomware attack from the FTC after the agency was investigating the company’s data security practices in a previous case.
