Following Federal Trade Commission (FTC) charges, Blackbaud will be required to delete any unnecessary personal data. The settlement comes after the company was charged claiming that "lax security" allowed a hacker to breach the company’s network and access the personal data of millions of consumers including Social Security and bank account numbers.

In its complaint, the FTC says that Blackbaud, which provides data services and financial, fundraising and administrative software services to companies, nonprofits, healthcare organizations and others, failed to implement appropriate safeguards to secure and protect the vast amounts of personal data it maintains as part of the services it provides to its clients.

As a result of these failures, a hacker in early 2020 accessed a customer’s Blackbaud-hosted database, according to the complaint. Once logged in, the attacker was able to freely move across multiple Blackbaud-hosted environments by leveraging existing vulnerabilities and local administrator accounts and creating new administrator accounts, according to the complaint. The breach went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data belonging to Blackbaud’s customers.

In addition to requiring Blackbaud to delete data that it no longer needs to provide products or services to its customers, the proposed order will prohibit the company from misrepresenting its data security and data retention policies. The proposed order also will require Blackbaud to develop a comprehensive information security program that would address the issues highlighted by the FTC’s complaint. In addition, the company will also be required to put in place a data retention schedule that would detail why it maintains personal data and when it will delete such information. The proposed order also requires that Blackbaud notify the FTC if it experiences a future data breach that it is required to report to any other local, state, or federal agency.