South Carolina-based software company Blackbaud has been directed by the California Attorney General’s Office to pay a hefty sum of $6.75 million as part of a settlement agreement following a ransomware attack that occurred in May 2020. The attack was deemed to be a result of inadequate security measures, according to the AG’s office.
The breach came to light when Blackbaud disclosed that malicious actors had accessed unencrypted Social Security numbers, bank account details, and login credentials. Subsequently, the company was accused of providing false information about the effectiveness of its data security protocols prior to the breach, as well as downplaying the extent of the breach to its nonprofit clients and the general public. This misconduct was found to be in violation of various laws related to data security, as outlined in the Attorney General’s press release.
A thorough investigation by government authorities revealed that sensitive information from approximately 13,000 nonprofits, universities, hospitals, and various other organizations had been compromised through Blackbaud. In response to the breach, the company opted to pay a ransom of 24 bitcoins, equivalent to $250,000, to the perpetrators.
The $6.75 million settlement is just one component of a broader array of penalties imposed on Blackbaud. In an earlier development, the company had already been fined $3 million in March 2023, following which it agreed to a settlement of $49.5 million with 49 states and Washington, DC. The Federal Trade Commission also intervened earlier this year, mandating that Blackbaud establish an information security program and delete any unnecessary data from its systems.
The FTC’s intervention stemmed from concerns that even though Blackbaud complied with the ransom demand, it failed to take the necessary steps to ensure that the compromised data was securely deleted. Additionally, the company was found lacking in terms of enhancing its security measures, such as implementing multifactor authentication, actively monitoring its network, and encrypting sensitive information, among other crucial measures.
California Attorney General Bonta condemned Blackbaud’s actions, stating that the company not only fell short in protecting consumers’ personal data but also misrepresented the true extent of the data breach to the public. Bonta emphasized that such behavior is intolerable and emphasized the importance of prioritizing data security and implementing robust measures to prevent similar incidents in the future.
The fallout from the ransomware attack has underscored the critical importance of stringent data security practices for companies that handle sensitive information. The incident has not only resulted in significant financial penalties for Blackbaud but has also highlighted the reputational and legal risks associated with data breaches in today’s interconnected digital landscape. Moving forward, it is imperative for organizations to remain vigilant and proactive in safeguarding consumer data and upholding the highest standards of cybersecurity.