Cloud computing provider Blackbaud reached a $49.5 million settlement with attorneys general of 49 US states to resolve a multistate investigation into a May 2020 ransomware attack and resulting data breach .
Blackbaud is a leading provider of software solutions for nonprofit organizations, such as charities, schools, and healthcare agencies, specializing in donor engagement and constituent data management.
This data includes a wide range of sensitive information, such as demographic details, Social Security numbers, driver’s license numbers, financial records, employment data, asset information, donation histories, and protected health information.
In the breach disclosed by Blackbaud in July 2020, highly sensitive data belonging to more than 13,000 Blackbaud business customers and its customers in the US, Canada, the UK and the Netherlands was compromised, affecting millions of people.
The attackers stole customers’ unencrypted banking information, login credentials, and social security numbers. Blackbaud met the attackers’ ransom demand after being told that all stolen data had been destroyed.
This week’s $49.5 million settlement addresses allegations that Blackbaud violated state consumer protection laws, breach notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA).
“Carelessness cannot justify the compromise of consumer data. Businesses must commit to safeguarding personal information, meeting consumers’ legitimate expectations for privacy and data protection,” said the Ohio Attorney General , Dave Yost.
As part of the agreement, Blackbaud must also:
- Implement and maintain a breach response plan
- Provide appropriate assistance to your clients in case of non-compliance
- Report security incidents to your CEO and board of directors and provide enhanced training to employees.
- Implement personal information safeguards and controls that require full database encryption and dark web monitoring.
- Enhance defenses through network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
- Allow third-party evaluations of your compliance with the agreement for seven years
The consequences of the ransomware attack
In its quarterly report for the third quarter of 2020, the company revealed three years ago that at least 43 state attorneys general and the District of Columbia were investigating the incident.
As of November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases related to the May 2020 security breach in the US and Canada.
In March, the company also agreed to pay $3 million to resolve charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of the 2020 ransomware attack.
According to the SEC, Blackbaud’s technology and customer relations staff discovered that the attackers stole donors’ bank account information and social security numbers. However, they did not escalate the matter to management due to the company’s lack of adequate disclosure controls and procedures.
Blackbaud subsequently filed a report with the SEC omitting crucial details about the full scope of the breach. Additionally, the report downplayed the potential risk associated with sensitive donor information accessed by attackers, describing it as hypothetical.