Cloud computing supplier Blackbaud reached a $49.5 million settlement with attorneys basic from 49 U.S. states to settle a multi-state investigation of a Could 2020 ransomware assault and the ensuing knowledge breach.
Blackbaud is a number one supplier of software program options catering to nonprofit organizations, equivalent to charities, faculties, and healthcare businesses, and it focuses on donor engagement and administration of constituency knowledge.
This knowledge consists of a wide selection of delicate info equivalent to demographic particulars, Social Safety numbers, driver’s license numbers, monetary data, employment knowledge, wealth info, donation histories, and guarded well being info.
Within the breach disclosed by Blackbaud in July 2020, the extremely delicate knowledge belonging to over 13,000 Blackbaud enterprise prospects and their shoppers from the U.S., Canada, the U.Ok., and the Netherlands was compromised, impacting tens of millions of people.
The attackers stole prospects’ unencrypted banking info, login credentials, and social safety numbers. Blackbaud complied with the attackers’ demand for ransom after being instructed that each one the stolen knowledge was destroyed.
This week’s $49.5 million settlement addresses allegations of Blackbaud violating state shopper safety legal guidelines, breach-notification rules, and the Well being Insurance coverage Portability and Accountability Act (HIPAA).
“Carelessness can’t justify the compromise of shopper knowledge. Firms have to be dedicated to safeguarding private info, assembly shoppers’ rightful expectations of knowledge privateness and safety,” stated Ohio Lawyer Normal Dave Yost.
As a part of the settlement, Blackbaud additionally has to:
- Implement and preserve a breach response plan
- Present applicable help to its prospects within the occasion of a breach
- Report safety incidents to its CEO and board and supply enhanced worker coaching
- Implement private info safeguards and controls requiring whole database encryption and darkish net monitoring
- Enhance defenses by way of community segmentation, patch administration, intrusion detection, firewalls, entry controls, logging and monitoring, and penetration testing
- Enable third-party assessments of its compliance with the settlement for seven years
Ransomware assault fallout
In its 2020 Q3 Quarterly report, the corporate revealed three years in the past that at the least 43 state Attorneys Generals and the District of Columbia had been wanting into the incident.
By November 2020, Blackbaud had already been sued in 23 proposed shopper class motion instances associated to the Could 2020 safety breach within the U.S. and Canada.
In March, the corporate additionally agreed to pay $3 million to settle expenses introduced by the Securities and Alternate Fee (SEC), alleging that it did not disclose the complete impression of the 2020 ransomware assault.
Based on the SEC, Blackbaud’s know-how and buyer relations personnel found the attackers stole donor checking account info and social safety numbers. Nevertheless, they did not escalate the matter to administration as a result of firm’s lack of applicable disclosure controls and procedures.
Subsequently, Blackbaud submitted an SEC report omitting essential particulars concerning the full scope of the breach. Moreover, the report downplayed the potential danger related to delicate donor info accessed by the attackers, describing it as hypothetical.