Blackbaud, a provider of fundraising software, has agreed to a $6.75 million settlement with the California Attorney General’s Office to resolve claims stemming from inadequate security practices that led to a ransomware attack and subsequent data breach in May 2020.

The ransomware attack was first disclosed by Blackbaud in June 2020, with confirmation of a data breach following a month later. Blackbaud reported paying a ransom of 24 bitcoins (approximately $250,000) to ensure the deletion of the stolen data. However, in October 2020, it was revealed that the attackers had accessed sensitive information, including unencrypted Social Security numbers, bank account details, and login credentials.

An investigation uncovered that the breach affected sensitive information from around 13,000 nonprofits, universities, hospitals, and other organizations using Blackbaud’s services, compromising the financial, health, and personal data of donors and clients.

In March 2023, Blackbaud was fined $3 million, and by October 2023, the company had agreed to a $49.5 million settlement with the attorneys general of 49 states and Washington, D.C. Furthermore, in January 2024, the Federal Trade Commission (FTC) mandated that Blackbaud establish a comprehensive information security program and delete unnecessary data. The FTC cited numerous security shortcomings, such as lack of encryption, poor network monitoring, weak password policies, and the absence of multi-factor authentication.

Last week, California Attorney General Rob Bonta announced the settlement with Blackbaud, emphasizing the company’s inadequate security measures and misleading statements regarding the extent of the breach. As part of the settlement, Blackbaud is required to pay $6.75 million in penalties, enhance its data security practices, and improve its breach notification procedures.

The settlement stipulates that Blackbaud must retain personal information only for the minimum necessary duration, enforce robust password policies, and strengthen its security infrastructure.

“Blackbaud’s failure to protect consumers’ personal information and their misleading public statements about the data breach’s full impact are unacceptable. This settlement ensures that Blackbaud will prioritize the safeguarding of consumers’ personal information and improve security measures to prevent future incidents,” stated Attorney General Bonta.

 

 

 

Source Article –
Blackbaud Settles With California for $6.75 Million Over 2020 Data Breach

 

Cookie Consent with Real Cookie Banner