Cloud computing provider Blackbaud reached a $49.5 million agreement with attorneys general from 49 U.S. states to settle a multi-state investigation of a May 2020 ransomware attack and the resulting data breach.
Blackbaud is a leading provider of software solutions catering to nonprofit organizations, such as charities, schools, and healthcare agencies, and it specializes in donor engagement and management of constituency data.
This data includes a wide array of sensitive information such as demographic details, Social Security numbers, driver’s license numbers, financial records, employment data, wealth information, donation histories, and protected health information.
In the breach disclosed by Blackbaud in July 2020, the highly sensitive data belonging to over 13,000 Blackbaud business customers and their clients from the U.S., Canada, the U.K., and the Netherlands was compromised, impacting millions of individuals.
The attackers stole customers’ unencrypted banking information, login credentials, and social security numbers. Blackbaud complied with the attackers’ demand for ransom after being told that all the stolen data was destroyed.
This week’s $49.5 million settlement addresses allegations of Blackbaud violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA).
“Carelessness cannot justify the compromise of consumer data. Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” said Ohio Attorney General Dave Yost.
As part of the settlement, Blackbaud also has to:
- Implement and maintain a breach response plan
- Provide appropriate assistance to its customers in the event of a breach
- Report security incidents to its CEO and board and provide enhanced employee training
- Implement personal information safeguards and controls requiring total database encryption and dark web monitoring
- Improve defenses via network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing
- Allow third-party assessments of its compliance with the settlement for seven years
Ransomware attack fallout
In its 2020 Q3 Quarterly report, the company revealed three years ago that at least 43 state Attorneys Generals and the District of Columbia were looking into the incident.
By November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases related to the May 2020 security breach in the U.S. and Canada.
In March, the company also agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of the 2020 ransomware attack.
According to the SEC, Blackbaud’s technology and customer relations personnel discovered the attackers stole donor bank account information and social security numbers. However, they didn’t escalate the matter to management due to the company’s lack of appropriate disclosure controls and procedures.
Subsequently, Blackbaud submitted an SEC report omitting crucial details about the full scope of the breach. Additionally, the report downplayed the potential risk associated with sensitive donor information accessed by the attackers, describing it as hypothetical.