Blackbaud Pays $49.5M to Settle With State AGs in Breach2020 Ransomware Incident Affected 13,000 Customers, Millions of Individuals
Fundraising software powerhouse Blackbaud will pay $49.5 million to settle a multistate investigation into the company's data security practices and its response to a 2020 ransomware attack.
Under the settlement, the Charleston, South Carolina, company must also undergo third-party assessments for seven years to monitor its compliance with conditions imposed on the company, including maintaining an information security program and biannual exercises to determine breach response preparedness.
The attack affected more than 1 million files related 13,000 clients, or roughly a quarter of the company's customers. "Nonprofits doing their great work rely and depend on vendors like Blackbaud to protect sensitive and private information," said Indiana Attorney General Todd Rokita. Rokita and the attorney general of Vermont led a coalition of 49 states and the District of Columbia to probe the ransomware incident. The state attorney of California has a separate investigation into the Blackbaud breach. A spokesperson for California's attorney general declined Information Security Media Group's request for comment about the status of the state's Blackbaud investigation.
Blackbaud said in a Thursday regulatory filing that it had accrued sufficient cash as of June 30 to pay the 49-state settlement amount. A spokesperson told Information Security Media Group the company has no additional comment.
Blackbaud's software is used by nonprofit organizations including charities, educational institutions and healthcare organizations to keep them connected with donors and potential contributors.
The settlement also resolves allegations from the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws and HIPAA, since the breach affected at least 6 million individuals covered by the federal medical privacy law. Among the affected organizations was metro Washington, D.C.'s Inova Health System, which said that 1.05 million patients and donors has been caught up in the cyber incident (see: Blackbaud Ransomware Breach Victims, Lawsuits Pile Up).
Blackbaud first disclosed the ransomware attack in mid-July 2020 after detecting it months earlier, in May. Hackers first penetrated the company's cloud environment in February. The company says it prevented malicious encryption but couldn't stop the hackers from exfiltrating data. It paid the hackers $230,000 in exchange for a promise to destroy the data, although private plaintiffs suing the company said the company never received any video proof of data deletion.
The company's initial breach disclosure indicated that the attacker had not accessed any donor bank account information or Social Security numbers. Within days of these statements, the company's technology and customer relations personnel learned that these claims about bank account information and Social Security numbers had been erroneous, according to a separate company settlement reached with the Securities and Exchange Commission in March.
Still, the company "misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical," the regulator said. Blackbaud paid $3 million to resolve the SEC probe (see: Blackbaud to Pay $3 Million Over 'Erroneous' Breach Details).
It was not until late September 2020 that Blackbaud disclosed for the first time that hackers had accessed unencrypted donor bank account information and Social Security numbers.
Among the security measures called for by the multistate settlement are network segmentation, encryption, patch management, reporting security incidents to its CEO and board, and pledging to refrain from misrepresenting details of its data security practices.
Blackbaud still faces a consolidated putative class action lawsuit alleging in part that the company's security program was woefully inadequate. Company attempts to get the lawsuit dismissed have been unsuccessful, although the court has dismissed some claims. Plaintiffs in December filed a motion for class certification. A three-day hearing on the motion and which witnesses could potentially testify before a jury is set to begin on March 6, 2024, in the U.S. District Court for the District of South Carolina.