Blackbaud Fined $6.75M After 2020 Ransomware Attack

Threat actors were able to breach Blackbaud's systems and compromise sensitive data, largely because of the company's poor cybersecurity practices and lack of encrypted data, the AG said.

Dark Reading Staff, Dark Reading

June 18, 2024

2 Min Read
A phone with the Blackbaud company logo on its screen, sitting on a red table
Source: SOPA Images Limited via Alamy Stock Photo

Blackbaud, a South Carolina-based software company, has been ordered by the California Attorney General's Office to pay $6.75 million to settle a ransomware attack that took place in May 2020.

The attack occurred due to poor security practices, the AG's office said.

After Blackbaud revealed that the threat actors compromised unencrypted Social Security numbers, bank account details, and login credentials, the company "then made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public," stated the Attorney General's press release. "These actions violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security."

Private information from 13,000 nonprofits, universities, hospitals, and other organizations were compromised through Blackbaud, according to a government-led investigation, leading the company to pay a ransom of 24 bitcoins or $250,000.

The fine is part of a broader set of penalties. Blackbaud initially was fined $3 million in March 2023 before agreeing to a $49.5 million settlement with 49 states and Washington, DC. At the beginning of this year, however, the Federal Trade Commission ordered Blackbaud to also develop an information security program, as well as delete data that is no longer necessary for its services. 

The FTC argued that though the company paid the ransom demanded by the threat actors, it did not take additional steps to ensure that the data was deleted, nor did it step up its security practices, including implementing multifactor authentication, monitoring its network, and encrypting sensitive data, among other things. 

"Not only did Blackbaud fail to protect consumers' personal information, but they misled the public of the full impact of the data breach," stated Attorney General Bonta. "This is simply unacceptable. Today's settlement will ensure that Blackbaud prioritizes safeguarding consumers' personal information and enhances security measures to prevent future incidents."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights