Blackbaud Settles $49.5 Million Ransomware-Induced Data Breach

Estimated read time 2 min read

Is your data safe with cloud software companies? Cloud software firm Blackbaud has recently agreed to a $49.5 million settlement1 with 49 U.S. states over a data breach caused by a ransomware attack.

Settlement Amount$49.5 Million
Number of Affected States49
Number of Affected Clients13,000 initially, millions later
Type of Data ExposedClient Data, Sensitive Information
Legal ViolationsConsumer Protection, Data Breach Reporting, Healthcare Laws
Quick Facts

In 2020, Blackbaud, a company providing various services to non-profit organizations and educational institutions, fell victim to a ransomware attack. The company specializes in CRM systems (Customer Relationship Management) and had a massive breach that affected 13,000 clients initially. Later, it was revealed that the data of millions of clients and users linked to these clients had been compromised. Prominent educational institutions like TU Delft and the University of Utrecht were among those affected.

Blackbaud paid the attackers to destroy the data and assured that no sensitive information such as bank details or social security numbers were exposed. However, internal staff discovered that the attackers had indeed accessed this sensitive information. Due to the lack of proper reporting protocols, this crucial detail was not communicated to the management responsible for reporting the data breach.

When Blackbaud reported the ransomware attack to the SEC in August 2020, it omitted this vital information. According to the Attorney Generals of the 49 U.S. states involved, Blackbaud violated consumer protection laws, data breach notification laws, and healthcare laws.

Blackbaud had not taken adequate security measures and had left known vulnerabilities unpatched, allowing the attacker to gain access to their network. Furthermore, the company failed in its legal obligation to inform its customers promptly and accurately. In some cases, victims were not notified at all.

In addition to the $49.5 million payment, Blackbaud is required to make several changes. These include the creation and implementation of a data breach plan, staff training, and various security measures to ensure that such an incident does not happen again.

  1. ↩︎
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours