The Weekly Breach Breakdown: Fines from the Past – Blackbaud Settlement with California

• The California Attorney General’s Office recently ordered Blackbaud to pay $6.75 million to settle the aftermath of the ransomware attack that occurred in May 2020.
• The Blackbaud settlement with California is not the only financial penalty the software company has faced. In March 2023, Blackbaud was fined $3 million and reached a $49.5 million settlement with 49 states and Washington, D.C.
• In past years, Blackbaud has been criticized for paying the ransom demanded by the threat actors without ensuring the deletion of the compromised data or taking additional steps to enhance its security practices. They were also charged for misleading disclosures about the attack.
• The Blackbaud ransomware attack serves as a reminder of the significance of robust cybersecurity practices, including encryption of sensitive data, implementation of multifactor authentication or passkeys, and robust data protection.
• To learn about the latest data compromises, consumers and businesses should visit the Identity Theft Resource Center’s data breach tracking tool, notified. 
• If you believe you are the victim of an identity crime, call or text toll-free at 888.400.5530 or live chat on our website, idtheftcenter.org.

Fines from the Past

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 12, 2024. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we discuss the 2020 ransomware attack that affected Blackbaud and its numerous implications for the world of cybersecurity, including the latest Blackbaud settlement.

The Blackbaud ransomware attack of 2020 has highlighted the critical need for robust cybersecurity measures in today’s digital landscape. In the wake of this incident, it’s clear that when it comes to cybersecurity, there’s no such thing as being too careful – it’s better to be safe than sorry.

Blackbaud Settlement with California

The California Attorney General’s Office recently ordered Blackbaud, a South Carolina-based software company, to pay a hefty $6.75 million to settle the aftermath of the ransomware attack that occurred in May 2020. The breach exposed unencrypted Social Security numbers, bank account details, and login credentials, affecting approximately 13,000 nonprofits, universities, hospitals and other organizations. The ransomware attack resulted from Blackbaud’s poor security practices, including the lack of encrypted data, which ultimately enabled threat actors to compromise sensitive information.

Following the attack, Blackbaud also made misleading statements about the sufficiency of its data security efforts and the extent of the breach to its nonprofit customers and the public. These actions were found to violate the Reasonable Data Security Law, Unfair Competition Law and the False Advertising Law related to data security.

Other Financial Penalties for Blackbaud

In addition to the Blackbaud settlement with the California Attorney General’s Office, Blackbaud faced additional financial penalties. In March 2023, Blackbaud was fined $3 million and subsequently reached a $49.5 million settlement with 49 states and Washington, D.C. Furthermore, the Federal Trade Commission (FTC) ordered Blackbaud to develop an information security program and delete unnecessary data. The FTC criticized Blackbaud for paying the ransom demanded by the threat actors without ensuring the deletion of the compromised data or taking additional steps to enhance its security practices.

Implications from the Blackbaud Ransomware Attack

Blackbaud’s failure to adequately safeguard consumers’ personal information and misleading communication about the full impact of the data breach has raised serious cybersecurity concerns. The implications of the Blackbaud ransomware attack extend beyond financial penalties. The incident serves as a stark reminder of the significance of robust cybersecurity practices, including encryption of sensitive data, implementation of multifactor authentication or passkeys, and robust data protection. Learn from the Blackbaud case and take comprehensive measures to secure your systems, protect sensitive information, and uphold transparent communication during cybersecurity incidents.

Contact the ITRC

If you want to know more about how to protect your business or personal information, have questions about the Blackbaud settlement, or think you have been the victim of an identity crime, contact us. You can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Check out our last Weekly Breach Breakdown podcast, where we update you on all of the contemplated state consumer privacy laws as legislators make their final push before adjourning for the summer. We will return next week with another episode of the Weekly Breach Breakdown.