Blackbaud Settles With California for $6.75 Million Over 2020 Data Breach

Blackbaud Settles With California for $6.75 Million Over 2020 Data Breach

June 18, 2024 at 06:19AM

Blackbaud was ordered to pay $6.75 million in a settlement for a ransomware attack and data breach. The company paid a $250,000 ransom and later revealed that sensitive information from 13,000 organizations using its services was compromised. Blackbaud has agreed to a $49.5 million settlement and to develop a comprehensive information security program ordered by the FTC.

Summary:
– Blackbaud, a fundraising software provider, was ordered to pay $6.75 million to the California Attorney General’s Office to settle the poor security practices that led to a ransomware attack and data breach in May 2020.
– The company confirmed the ransomware attack in June 2020 and the data breach a month later. It paid a 24 bitcoin ransom.
– The incident compromised sensitive information from 13,000 nonprofits, universities, hospitals, and organizations, including financial, health, and personal information.
– In March 2023, Blackbaud was fined $3 million, and in October 2023, it agreed to a $49.5 million settlement with the attorneys general of 49 states and Washington, D.C.
– In January 2024, the Federal Trade Commission (FTC) ordered Blackbaud to develop a comprehensive information security program and to delete unnecessary data.
– The FTC found that Blackbaud lacked encryption for sensitive data and failed to properly monitor and segment its network, among other deficiencies.
– Last week, Blackbaud settled with the California Attorney General, agreeing to pay $6.75 million in penalties and strengthen its data security and breach notification practices.

Takeaways:
– Blackbaud faced significant financial penalties and settlements due to its poor security practices and the resulting data breach.
– The company’s handling of the incident, including misleading statements about security efforts and the extent of the breach, led to regulatory actions.
– Blackbaud is now required to improve its data security, breach notification practices, and overall information security program.
– The settlements and regulatory actions highlight the importance of prioritizing and enhancing security measures to safeguard consumers’ personal information and prevent future incidents.

Full Article