The Commission voted 3 to 0 to issue an administrative complaint and accept the proposed consent agreement, which is subject to a 30-day comment period before being made final. In an SEC filing, Blackbaud reported the FTC had not proposed a fine or any payment. Under the agreement, the company neither admitted nor denied allegations.
A breach was undetected for three months and then Blackbaud agreed to pay a ransom of about $250,000 to prevent the hacker from exposing stolen data without ever confirming the intruder then deleted that data.
It then waited almost two months to tell customers about the breach and then misled the breach even the Blackbaud knew as early as July 2020 the hacker had obtained data such as Social Security and bank account information.
In October, Blackbaud agreed to pay 49 states and the District of Columbia $49.5 million to settle litigation about the breach. Only California was not involved in the settlement. It has also paid $3 million to the SEC.
The FTC announcement said Blackbaud failed to monitor hacker attempts to breach its networks, segment data to prevent them from easily accessing its networks and databases, ensure unneeded data tis deleted, adequately implement multifactor authentication, and test, review and assess its security controls. It also allowed employees to use default, weak, or identical passwords.
One the hacker accessed one database, it was able to move across easily multiple Blackbaud-hosted environments. Data that was retained unnecessarily included that of former customers.