Cloud computing supplier Blackbaud reached a $49.5 million settlement with attorneys common from 49 U.S. states to settle a multi-state investigation of a Could 2020 ransomware assault and the ensuing data breach.
Blackbaud is a number one supplier of software program options catering to nonprofit organizations, corresponding to charities, colleges, and healthcare companies, and it focuses on donor engagement and administration of constituency information.
This information consists of a wide selection of delicate data corresponding to demographic particulars, Social Safety numbers, driver’s license numbers, monetary data, employment information, wealth data, donation histories, and guarded well being data.
Within the breach disclosed by Blackbaud in July 2020, the extremely delicate information belonging to over 13,000 Blackbaud enterprise clients and their shoppers from the U.S., Canada, the U.Okay., and the Netherlands was compromised, impacting hundreds of thousands of people.
The attackers stole clients’ unencrypted banking data, login credentials, and social security numbers. Blackbaud complied with the attackers’ demand for ransom after being advised that every one the stolen information was destroyed.
This week’s $49.5 million settlement addresses allegations of Blackbaud violating state client safety legal guidelines, breach-notification rules, and the Well being Insurance coverage Portability and Accountability Act (HIPAA).
“Carelessness can not justify the compromise of client information. Firms should be dedicated to safeguarding private data, assembly customers’ rightful expectations of knowledge privateness and safety,” stated Ohio Legal professional Basic Dave Yost.
As a part of the settlement, Blackbaud additionally has to:
- Implement and keep a breach response plan
- Present acceptable help to its clients within the occasion of a breach
- Report security incidents to its CEO and board and supply enhanced worker coaching
- Implement private data safeguards and controls requiring whole database encryption and darkish internet monitoring
- Enhance defenses by way of community segmentation, patch administration, intrusion detection, firewalls, entry controls, logging and monitoring, and penetration testing
- Permit third-party assessments of its compliance with the settlement for seven years
Ransomware assault fallout
In its 2020 Q3 Quarterly report, the corporate revealed three years in the past that a minimum of 43 state Attorneys Generals and the District of Columbia had been trying into the incident.
By November 2020, Blackbaud had already been sued in 23 proposed client class motion instances associated to the Could 2020 security breach within the U.S. and Canada.
In March, the corporate additionally agreed to pay $3 million to settle expenses introduced by the Securities and Trade Fee (SEC), alleging that it did not disclose the total impression of the 2020 ransomware assault.
In response to the SEC, Blackbaud’s expertise and buyer relations personnel found the attackers stole donor checking account data and social security numbers. Nonetheless, they did not escalate the matter to administration as a result of firm’s lack of acceptable disclosure controls and procedures.
Subsequently, Blackbaud submitted an SEC report omitting essential particulars in regards to the full scope of the breach. Moreover, the report downplayed the potential danger related to delicate donor data accessed by the attackers, describing it as hypothetical.
