Blackbaud’s $6.75M Fine For Ransomware Attack – A Wake-Up Call for Data Security

In a landmark decision, the California Attorney General’s Office has ordered Blackbaud, a South Carolina-based software company, to pay a hefty fine of $6.75 million. This penalty is a settlement for a ransomware attack that occurred in May 2020, a stark reminder of the importance of robust data security practices.

The attack was attributed to poor security practices within the company. The threat actors managed to compromise unencrypted Social Security numbers, bank account details, and login credentials. Following the breach, Blackbaud made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public. These actions were found to be in violation of the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security.

The breach had far-reaching consequences, with private information from 13,000 nonprofits, universities, hospitals, and other organizations being compromised. This led Blackbaud to pay a ransom of 24 bitcoins, equivalent to $250,000.

However, the $6.75 million fine is just a part of a broader set of penalties that Blackbaud has faced. The company was initially fined $3 million in March 2023 before agreeing to a $49.5 million settlement with 49 states and Washington, DC. Furthermore, the Federal Trade Commission (FTC) ordered Blackbaud to develop an information security program and delete data that is no longer necessary for its services at the beginning of this year.

The FTC argued that Blackbaud, despite paying the ransom demanded by the threat actors, did not take additional steps to ensure that the data was deleted. The company also failed to step up its security practices, including implementing multifactor authentication, monitoring its network, and encrypting sensitive data.

Attorney General Bonta stated, “Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents.”

This case serves as a stark reminder for all organizations about the importance of data security and the potential legal and financial repercussions of failing to adequately protect sensitive information. It underscores the need for companies to invest in robust security measures, prioritize transparency in their communications, and ensure compliance with data protection laws to safeguard their stakeholders’ interests.