Cloud computing provider Blackbaud has agreed to a $49.5 million settlement with attorneys general from 49 U.S. states to resolve an investigation into a ransomware attack and data breach that occurred in May 2020.
Blackbaud specializes in software solutions for nonprofit organizations, managing sensitive donor engagement and constituency data. The breach exposed a wide range of sensitive information, impacting millions of individuals across the U.S., Canada, the U.K., and the Netherlands. Attackers stole unencrypted banking information, login credentials, and social security numbers, leading Blackbaud to comply with the attackers’ ransom demand.
Furthermore, the settlement addresses allegations of Blackbaud violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). As part of the agreement, Blackbaud must implement a breach response plan, offer assistance to customers in case of a breach, report security incidents to its CEO and board, and provide enhanced employee training. The company is also required to enhance its security measures, including database encryption and dark web monitoring, as well as improve defenses through various cybersecurity measures.
This settlement comes after Blackbaud faced numerous lawsuits and penalties following the 2020 breach. In November 2020, the company was sued in 23 proposed consumer class action cases related to the security breach.
Additionally, in March, Blackbaud agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC) for failing to disclose the full impact of the ransomware attack. The SEC found that Blackbaud’s failure to properly disclose the breach’s scope and risks led to a misleading report that downplayed the potential dangers associated with the stolen donor information.