Cloud computing supplier Blackbaud reached a $49.5 million settlement with attorneys normal from 49 U.S. states to settle a multi-state investigation of a Might 2020 ransomware assault and the ensuing information breach.
Blackbaud is a number one supplier of software program options catering to nonprofit organizations, akin to charities, colleges, and healthcare businesses, and it focuses on donor engagement and administration of constituency information.
This information consists of a big selection of delicate info akin to demographic particulars, Social Safety numbers, driver’s license numbers, monetary information, employment information, wealth info, donation histories, and guarded well being info.
Within the breach disclosed by Blackbaud in July 2020, the extremely delicate information belonging to over 13,000 Blackbaud enterprise prospects and their shoppers from the U.S., Canada, the U.Okay., and the Netherlands was compromised, impacting tens of millions of people.
The attackers stole prospects’ unencrypted banking info, login credentials, and social safety numbers. Blackbaud complied with the attackers’ demand for ransom after being advised that each one the stolen information was destroyed.
This week’s $49.5 million settlement addresses allegations of Blackbaud violating state shopper safety legal guidelines, breach-notification rules, and the Well being Insurance coverage Portability and Accountability Act (HIPAA).
“Carelessness can not justify the compromise of shopper information. Corporations should be dedicated to safeguarding private info, assembly shoppers’ rightful expectations of information privateness and safety,” stated Ohio Lawyer Normal Dave Yost.
As a part of the settlement, Blackbaud additionally has to:
- Implement and keep a breach response plan
- Present acceptable help to its prospects within the occasion of a breach
- Report safety incidents to its CEO and board and supply enhanced worker coaching
- Implement private info safeguards and controls requiring complete database encryption and darkish net monitoring
- Enhance defenses by way of community segmentation, patch administration, intrusion detection, firewalls, entry controls, logging and monitoring, and penetration testing
- Permit third-party assessments of its compliance with the settlement for seven years
Ransomware assault fallout
In its 2020 Q3 Quarterly report, the corporate revealed three years in the past that no less than 43 state Attorneys Generals and the District of Columbia have been trying into the incident.
By November 2020, Blackbaud had already been sued in 23 proposed shopper class motion instances associated to the Might 2020 safety breach within the U.S. and Canada.
In March, the corporate additionally agreed to pay $3 million to settle costs introduced by the Securities and Change Fee (SEC), alleging that it didn’t disclose the complete affect of the 2020 ransomware assault.
In response to the SEC, Blackbaud’s expertise and buyer relations personnel found the attackers stole donor checking account info and social safety numbers. Nonetheless, they did not escalate the matter to administration because of the firm’s lack of acceptable disclosure controls and procedures.
Subsequently, Blackbaud submitted an SEC report omitting essential particulars concerning the full scope of the breach. Moreover, the report downplayed the potential threat related to delicate donor info accessed by the attackers, describing it as hypothetical.