Ransomware attack in 2020 on Blackbaud results in FTC data security settlement
In a significant development, software firm Blackbaud, which provides services to schools, hospitals, and nonprofits, is in the process of settling with the Federal Trade Commission (FTC) over a ransomware attack that occurred in 2020.
The attack, which affected approximately 13,000 customers, resulted in the theft of sensitive data, including bank account details and Social Security numbers. The hackers promised to delete the personal customer data, but Blackbaud later misled customers about the scope of the data exfiltration.
The FTC's Bureau of Consumer Protection stated that Blackbaud's shoddy security and data retention practices allowed a hacker to obtain sensitive personal data about millions of customers. As a result, the FTC has proposed a settlement with Blackbaud, requiring the company to delete any unnecessarily stored data.
Blackbaud has not been fined by the FTC, but did admit to and deny the allegations. The company's President and CEO, Mike Gianoni, has emphasised the importance of protecting customer privacy.
In a separate incident, Blackbaud paid a ransom of $235,000 in Bitcoin to the hackers following the attack. To address these issues, Blackbaud hired a new Chief Information Security Officer (CISO) in 2022 and added Deneen DeFiore, former CISO of United Airlines, to its board of directors.
The proposed settlement was announced on February 1, 2024, addressing Blackbaud’s security lapses related to the ransomware attack, which involved unauthorized access and file encryption impacting customer data. However, as of August 2025, no updated confirmation or further specifics on the settlement have been publicly released.
The FTC's settlement with Blackbaud is part of a broader trend of increased activity on data security and privacy matters by the FTC, particularly in healthcare and hosting services. The FTC will require Blackbaud to develop an information security program addressing key issues raised by the FTC action and inform the agency of any future data breach.
Corporate stakeholders are increasingly concerned about understanding the risk calculus of their technology stacks, asking the question: Are we a target? The Blackbaud case serves as a reminder of the importance of robust security measures and transparent data handling practices.
[1] FTC Proposes Settlement with Blackbaud Over Data Security Failures, Federal Trade Commission, February 1, 2024, https://www.ftc.gov/news-events/press-releases/2024/02/ftc-proposes-settlement-blackbaud-over-data-security-failures
[2] FTC Enforcement Trends in 2024-2025, Consumer Reports, April 1, 2025, https://www.consumerreports.org/privacy/ftc-enforcement-trends-in-2024-2025/
- Blackbaud, in settling with the FTC, is mandated to create an information security program that addresses key issues, in a bid to improve its compliance with cybersecurity regulations.
- The FTC's settlement with Blackbaud emphasizes the growing focus on privacy and data security in hosting services and healthcare sectors, with a particular focus on transparency in data handling practices.
- Despite paying a ransom of $235,000 to hackers following a data breach, Blackbaud's President and CEO, Mike Gianoni, underlined the company's dedication to enhancing cybersecurity measures and protecting customer privacy.
