Is your data safe with cloud software companies? Cloud software firm Blackbaud has recently agreed to a $49.5 million settlement1 with 49 U.S. states over a data breach caused by a ransomware attack.
|Settlement Amount||$49.5 Million|
|Number of Affected States||49|
|Number of Affected Clients||13,000 initially, millions later|
|Type of Data Exposed||Client Data, Sensitive Information|
|Legal Violations||Consumer Protection, Data Breach Reporting, Healthcare Laws|
In 2020, Blackbaud, a company providing various services to non-profit organizations and educational institutions, fell victim to a ransomware attack. The company specializes in CRM systems (Customer Relationship Management) and had a massive breach that affected 13,000 clients initially. Later, it was revealed that the data of millions of clients and users linked to these clients had been compromised. Prominent educational institutions like TU Delft and the University of Utrecht were among those affected.
Blackbaud paid the attackers to destroy the data and assured that no sensitive information such as bank details or social security numbers were exposed. However, internal staff discovered that the attackers had indeed accessed this sensitive information. Due to the lack of proper reporting protocols, this crucial detail was not communicated to the management responsible for reporting the data breach.
When Blackbaud reported the ransomware attack to the SEC in August 2020, it omitted this vital information. According to the Attorney Generals of the 49 U.S. states involved, Blackbaud violated consumer protection laws, data breach notification laws, and healthcare laws.
Blackbaud had not taken adequate security measures and had left known vulnerabilities unpatched, allowing the attacker to gain access to their network. Furthermore, the company failed in its legal obligation to inform its customers promptly and accurately. In some cases, victims were not notified at all.
In addition to the $49.5 million payment, Blackbaud is required to make several changes. These include the creation and implementation of a data breach plan, staff training, and various security measures to ensure that such an incident does not happen again.
- https://www.ohioattorneygeneral.gov/Files/Briefing-Room/News-Releases/Consumer-Protection/2023-10-05-Blackbaud-Inc-2023-10-05-In-The-Matter.aspx ↩︎