$49.5 Million Settlement For Blackbaud Data Breach

Blackbaud has settled another case related to a May 2020 ransomware attack and resulting data breach, as reported by Bleeping Computer. This payout was for an investigation by the attorneys general of 49 states that alleges violations of state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act.

“Businesses must be committed to safeguarding personal information, and meeting consumers’ rightful expectations of data privacy and protection,” said Ohio Attorney General Dave Yost, one of the plaintiffs.

Blackbaud provides software solutions to nonprofit organizations and specializes in donor engagement and management of constituency data. The breach, disclosed in July 2020, involved sensitive data belonging to more than 13,000 Blackbaud customers and their clients in the U.S., Canada, the U.K., and the Netherlands. Millions of individuals were impacted.

The stolen data included demographic details, Social Security numbers, driver’s license numbers, financial records, employment data, wealth information, donation histories, protected health information, unencrypted banking information, and login credentials. Blackbaud paid a ransom after the attackers said that all the stolen data was destroyed.

As part of the most recent settlement, Blackbaud agreed to implement or augment a number of security expedients, including a breach response plan, appropriate assistance to customers if a breach occurs, reporting of security incidents to the CEO and board, enhanced employee training, and implementation of other safeguards and controls including third-party assessments of its compliance with the settlement for seven years.