Blackbaud agrees to $49.5 million settlement with AGs of nearly all 50 states


The attorneys general of 49 states and Washington, D.C., agreed to a $49.5 million settlement with software company Blackbaud over a 2020 data breach that exposed the sensitive data of millions.

The company — which serves nonprofits like charities, schools and healthcare agencies — announced a ransomware attack in July 2020 that involved the theft of troves of demographic information, Social Security numbers, driver’s license numbers, financial data, employment and wealth information, donation histories and protected health information.

The attack exposed information from more than 13,000 of Blackbaud’s business customers and millions of downstream users.

Blackbaud faced a lawsuit from attorney generals from every state except for California for violating state consumer protection laws, breach-notification laws and the federal Health Insurance Portability and Accountability Act (HIPAA).

The company was accused of failing to implement data security measures or remediate basic security gaps. The lawsuit said Blackbaud allowed “unauthorized individuals to gain access to Blackbaud’s network” and “also failed to promptly, completely or accurately inform its customers about the breach, as required by law.”

The company’s failures “significantly delayed the process for notifying those whose personal information was compromised, and, in some cases, there was no notification at all.”

Every state involved in the case will get a cut of the $49.5 million. Ohio Attorney General Dave Yost, who secured $1.3 million for Ohio, said carelessness “cannot justify the compromise of consumer data.

“Companies must be committed to safeguarding personal information, meeting consumers’ rightful expectations of data privacy and protection,” he said.

On July 16, 2020, Blackbaud announced that ransomware attackers had not gained access to donor bank account information or Social Security numbers, but this was later proven false.

When the company’s IT staff realized the error days after the first statement was released, they did not inform senior management. The company also did not disclose this information in its quarterly report to the SEC the following month.

In March, Blackbaud paid a $3 million settlement to the Securities and Exchange Commission related to the incident.

In addition to the fine being paid to each state, Blackbaud is required to:

Explain how it handles customer data
Implement a data breach response plan;
Create a mechanism to assist customers in the event of a breach
Report all incidents to the company’s CEO and board
Provide employee cybersecurity training
Implement safeguards for the handling of personal information
Implement network segmentation, patch management systems and more
Allow third-party testing of its compliance with the settlement for 7 years

The actions taken against Blackbaud are part of a growing effort by state officials to punish large companies for failing to protect sensitive customer information.

Two weeks ago, New York Attorney General Letitia James used a settlement to force a local college to invest $3.5 million into cybersecurity after a 2021 data breach leaked troves of sensitive information about almost 200,000 people.

James and other attorneys general have joined forces to fine companies like clothing giant Shein, Carnival Cruises, grocery chain Wegmans, retailer Sports Warehouse, insurer EyeMed, OneMain Financial Group and more.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Microsoft: Human-operated ransomware attacks tripled over past year

Next Post

Top Dutch cyber official Hans de Vries on cyber defense in times of war

Related Posts

Demystifying a Common Cybersecurity Myth

One of the most common misconceptions in file upload cybersecurity is that certain tools are “enough” on their own—this is simply not the case. In our latest whitepaper OPSWAT CEO and Founder, Benny Czarny, takes a comprehensive look at what it takes to prevent malware threats in today’s ever-evolving file upload security landscape, and a big part of that is understanding where the
Read More

6 Ways to Simplify SaaS Identity Governance

With SaaS applications now making up the vast majority of technology used by employees in most organizations, tasks related to identity governance need to happen across a myriad of individual SaaS apps. This presents a huge challenge for centralized IT teams who are ultimately held responsible for managing and securing app access, but can’t possibly become experts in the nuances of the native
Read More