In May 2020, a single ransomware attack sent shockwaves through the non-profit community and beyond.
Blackbaud, a leading provider of software and services to non-profits, announced that it had been the victim of a cyber attack, exposing the personal data of millions of donors, volunteers, and students.
New Update (October 5, 2023): Blackbaud has agreed to a hefty $49.5 million settlement with attorneys general from 49 U.S. states, with individual states receiving varying amounts based on the number of impacted residents.
Table of Contents
Blackbaud Data Breach and Its Scope
The Blackbaud data breach occurred between February and May 2020, impacting an estimated 13,000 of Blackbaud’s customers and millions of their constituents. The exposed data included a wide range of sensitive information, such as:
- Names and contact information: including email addresses, phone numbers, and physical addresses.
- Financial information: including bank account numbers, credit card numbers, and donation history.
- Personal details: including Social Security numbers, driver’s license numbers, and health information.
- Employment and wealth information: including salaries, investment details, and charitable donations.
Initially, Blackbaud acknowledged the attack and admitted to paying the ransom. However, they claimed to have received “confirmation” that the stolen data was destroyed – a statement met with skepticism and disbelief.
Blackbaud revealed in a regulatory filing that the compromised data included bank account information and Social Security numbers, significantly more sensitive than initially reported.
While the company claims that “in most cases, fields intended for sensitive information were encrypted and not accessible,” the trust has been irrevocably broken.
The Impact on Individuals
The Blackbaud data breach has had a devastating impact on millions of individuals whose personal information was exposed. The potential for identity theft, financial fraud, and other forms of cybercrime has caused widespread anxiety and fear.
Many victims have reported receiving phishing emails and phone calls, attempting to exploit the stolen data.
Beyond the immediate financial risks, the breach has also caused significant emotional distress. The knowledge that highly sensitive information is in the hands of criminals can be deeply unsettling and can erode trust in institutions and technology.
The Impact on Non-Profits
The Blackbaud data breach has also had a significant impact on the non-profit organizations that relied on Blackbaud’s services. Many non-profits have faced legal repercussions and financial losses due to the breach.
They have had to invest significant resources in notifying affected individuals, offering credit monitoring services, and implementing new security measures.
The breach has also damaged the trust between non-profits and their donors. Many donors are now hesitant to provide their personal information to non-profits, fearing that it will be compromised.
This has significantly hampered fundraising efforts and put the financial viability of many non-profits at risk.
The Securities and Exchange Commission Enforcement Action
The SEC’s investigation revealed violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-13, and 13a-15(a) thereunder.
To settle these charges, Blackbaud agreed to cease and desist from committing further violations and pay the $3 million civil penalty.
The Settlement and its Implications
This $49.5 million settlement marks a significant step toward holding Blackbaud accountable for its inadequate data security practices and lack of transparency in the wake of the breach.
The settlement addresses allegations of violations in state consumer protection laws, breach-notification regulations, and even the Health Insurance Portability and Accountability Act (HIPAA) due to the exposure of protected health information.
Beyond the financial penalty, the settlement also mandates specific actions from Blackbaud to prevent future incidents. These include:
- Implementing a robust breach response plan.
- Providing assistance to customers in case of a breach.
- Enhancing employee training on data security.
- Encrypting all databases and implementing dark web monitoring.
- Improving defenses through network segmentation, intrusion detection, and penetration testing.
- Submitting to third-party assessments for seven years to ensure compliance.
While the settlement resolves the charges against Blackbaud, the wider implications of the incident remain significant.
The data breach potentially exposed millions of donors to identity theft and other financial harm, impacting the trust and confidence in charitable organizations reliant on Blackbaud’s software.