Blackbaud Reaches $49.5 Million Settlement for Ransomware Attack and Data Breach

Cloud computing provider Blackbaud has reached a $49.5 million agreement with attorneys general from 49 U.S. states to settle a multi-state investigation regarding a ransomware attack and the resulting data breach that occurred in May 2020.

Blackbaud, a leading provider of software solutions for nonprofit organizations including charities, schools, and healthcare agencies, specializes in donor engagement and management of constituency data.

This data includes a wide array of sensitive information such as demographic details, Social Security numbers, driver’s license numbers, financial records, employment data, wealth information, donation histories, and protected health information.

In July 2020, Blackbaud disclosed a breach in which highly sensitive data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands was compromised, impacting millions of individuals.

The attackers gained access to customers’ unencrypted banking information, login credentials, and social security numbers. Blackbaud ultimately complied with the attackers’ demand for ransom after being assured that all stolen data had been destroyed.

This week, Blackbaud has agreed to a $49.5 million settlement to address allegations of violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA).

“Carelessness cannot justify the compromise of consumer data. Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” said Ohio Attorney General Dave Yost.

Settlement Requirements

As part of the settlement, Blackbaud is required to:

• Implement and maintain a breach response plan
• Provide appropriate assistance to its customers in the event of a breach
• Report security incidents to its CEO and board and provide enhanced employee training
• Implement personal information safeguards and controls, including total database encryption and dark web monitoring
• Improve defenses through network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing
• Allow third-party assessments of its compliance with the settlement for seven years

Ransomware Attack Fallout

In its 2020 Q3 Quarterly report, the company revealed that at least 43 state Attorneys General and the District of Columbia were investigating the incident.

By November 2020, Blackbaud faced 23 proposed consumer class action cases related to the May 2020 security breach in the U.S. and Canada.

In March, the company agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it had failed to disclose the full impact of the 2020 ransomware attack.

According to the SEC, Blackbaud’s technology and customer relations personnel discovered that the attackers had stolen donor bank account information and social security numbers. However, they failed to escalate the matter to management due to the company’s lack of appropriate disclosure controls and procedures.

Subsequently, Blackbaud submitted an SEC report omitting crucial details about the full scope of the breach. Additionally, the report downplayed the potential risk associated with sensitive donor information accessed by the attackers, describing it as hypothetical.