Article Details

Blackbaud agrees to $49.5 million settlement for ransomware data breach. Cloud computing provider Blackbaud reached a $49.5 million agreement with attorneys general from 49 U.S. states to settle a multi-state investigation of a May 2020 ransomware attack and the resulting data breach. Blackbaud is a leading provider of software solutions catering to nonprofit organizations, such as charities, schools, and healthcare agencies, and it specializes in donor engagement and management of constituency data. This data includes a wide array of sensitive information such as demographic details, Social Security numbers, driver's license numbers, financial records, employment data, wealth information, donation histories, and protected health information. In the breach disclosed by Blackbaud in July 2020, the highly sensitive data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands was compromised, impacting millions of individuals. The attackers stole customers' unencrypted banking information, login credentials, and social security numbers. Blackbaud complied with the attackers' demand for ransom after being told that all the stolen data was destroyed. This week's $49.5 million settlement addresses allegations of Blackbaud violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). "Carelessness cannot justify the compromise of consumer data. Companies must be committed to safeguarding personal information, meeting consumers' rightful expectations of data privacy and protection," said Ohio Attorney General Dave Yost. As part of the settlement, Blackbaud also has to: Ransomware attack fallout In its 2020 Q3 Quarterly report, the company revealed three years ago that at least 43 state Attorneys Generals and the District of Columbia were looking into the incident. By November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases related to the May 2020 security breach in the U.S. and Canada. In March, the company also agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of the 2020 ransomware attack. According to the SEC, Blackbaud's technology and customer relations personnel discovered the attackers stole donor bank account information and social security numbers. However, they didn't escalate the matter to management due to the company's lack of appropriate disclosure controls and procedures. Subsequently, Blackbaud submitted an SEC report omitting crucial details about the full scope of the breach. Additionally, the report downplayed the potential risk associated with sensitive donor information accessed by the attackers, describing it as hypothetical.