Cloud computing supplier Blackbaud reached a $49.5 million settlement with attorneys normal from 49 U.S. states to settle a multi-state investigation of a Might 2020 ransomware assault and the ensuing knowledge breach.
Blackbaud is a number one supplier of software program options catering to nonprofit organizations, comparable to charities, colleges, and healthcare businesses, and it makes a speciality of donor engagement and administration of constituency knowledge.
This knowledge contains a big selection of delicate data comparable to demographic particulars, Social Safety numbers, driver’s license numbers, monetary information, employment knowledge, wealth data, donation histories, and guarded well being data.
Within the breach disclosed by Blackbaud in July 2020, the extremely delicate knowledge belonging to over 13,000 Blackbaud enterprise prospects and their shoppers from the U.S., Canada, the U.Ok., and the Netherlands was compromised, impacting hundreds of thousands of people.
The attackers stole prospects’ unencrypted banking data, login credentials, and social safety numbers. Blackbaud complied with the attackers’ demand for ransom after being informed that every one the stolen knowledge was destroyed.
This week’s $49.5 million settlement addresses allegations of Blackbaud violating state client safety legal guidelines, breach-notification rules, and the Well being Insurance coverage Portability and Accountability Act (HIPAA).
“Carelessness can’t justify the compromise of client knowledge. Corporations have to be dedicated to safeguarding private data, assembly shoppers’ rightful expectations of information privateness and safety,” stated Ohio Lawyer Basic Dave Yost.
As a part of the settlement, Blackbaud additionally has to:
- Implement and preserve a breach response plan
- Present applicable help to its prospects within the occasion of a breach
- Report safety incidents to its CEO and board and supply enhanced worker coaching
- Implement private data safeguards and controls requiring complete database encryption and darkish internet monitoring
- Enhance defenses through community segmentation, patch administration, intrusion detection, firewalls, entry controls, logging and monitoring, and penetration testing
- Permit third-party assessments of its compliance with the settlement for seven years
Ransomware assault fallout
In its 2020 Q3 Quarterly report, the corporate revealed three years in the past that at the very least 43 state Attorneys Generals and the District of Columbia had been wanting into the incident.
By November 2020, Blackbaud had already been sued in 23 proposed client class motion instances associated to the Might 2020 safety breach within the U.S. and Canada.
In March, the corporate additionally agreed to pay $3 million to settle prices introduced by the Securities and Alternate Fee (SEC), alleging that it didn’t disclose the total influence of the 2020 ransomware assault.
In response to the SEC, Blackbaud’s expertise and buyer relations personnel found the attackers stole donor checking account data and social safety numbers. Nevertheless, they did not escalate the matter to administration because of the firm’s lack of applicable disclosure controls and procedures.
Subsequently, Blackbaud submitted an SEC report omitting essential particulars concerning the full scope of the breach. Moreover, the report downplayed the potential danger related to delicate donor data accessed by the attackers, describing it as hypothetical.
