The fundraising software program firm Blackbaud agreed Thursday to pay $49.5 million to settle claims introduced by the attorneys common of 49 states and Washington, D.C., associated to a 2020 data breach that uncovered delicate data from 13,000 nonprofits.
Well being data, Social Safety numbers and the monetary data of donors or purchasers of the nonprofits, universities, hospitals and spiritual organizations that the corporate serves was the kind of knowledge that was uncovered within the breach, in line with Indiana Legal professional Normal Todd Rokita, who co-led the investigation with Vermont.
Blackbaud, which presents software program for fundraising and knowledge administration to nonprofits, first publicly acknowledged that an outdoor actor had gained entry to its knowledge on July 16, 2020, however downplayed the extent and sensitivity of the knowledge that had been stolen, the attorneys common stated. Over 1,000,000 information had been uncovered within the breach.
The corporate paid the intruder a ransom in alternate for deleting the info.
Blackbaud agreed to strengthen its knowledge security practices, enhance buyer notification within the occasion of one other breach and to have an outdoor get together assess its compliance with the phrases of the settlement for seven years, the settlement stated.
The corporate didn’t admit any wrongdoing underneath the phrases of the settlement. Blackbaud stated in a press release that it anticipated to pay the total settlement quantities in October.
Indiana will obtain nearly $3.6 million underneath the phrases of the settlement, essentially the most of any state, Rokita’s workplace stated.
In March, the U.S. Safety’s and Trade Fee stated it settled prices towards Blackbaud for deceptive buyers concerning the nature of the knowledge that was stolen. After initially saying that financial institution data and Social Safety numbers weren’t accessed within the breach, staff of the corporate discovered that it had been however didn’t notify senior leaders, the SEC stated.
The corporate agreed to pay a $3 million high quality to the SEC however didn’t admit wrongdoing.