Fundraising software provider Blackbaud was ordered to pay $6.75 million to the California Attorney General’s Office to settle over poor security practices that led to a ransomware attack and data breach in May 2020.
Blackbaud disclosed the ransomware attack in June 2020 and confirmed the data breach a month later, saying it took steps to ensure that the attackers deleted the stolen information. The company paid a 24 bitcoin ($250,000) ransom.
In October 2020, the company revealed that the attackers had compromised Social Security numbers, bank account details, and login credentials, which were stored unencrypted.
A government investigation into the incident revealed that sensitive information from 13,000 nonprofits, universities, hospitals, and organizations using Blackbaud was compromised in the attack, including the financial, health, and personal information of donors or clients.
Fined $3 million in March 2023, the cloud software provider agreed in October 2023 to a $49.5 million settlement with the attorneys general of 49 states and Washington, D.C.
In January 2024, the Federal Trade Commission (FTC) ordered Blackbaud to develop a comprehensive information security program and to erase all data it no longer needs to provide its services, accusing the company of failing to properly secure data and of downplaying the extent of the incident.
The FTC said that the cloud software provider lacked encryption for sensitive data, failed to properly monitor and segment its network, did not have strong password requirements nor multi-factor authentication, and failed to delete data that it no longer needed.
Last week, California Attorney General Rob Bonta announced a settlement with Blackbaud over these poor security practices leading to the data breach and its misleading statements about its security efforts prior to the incident and the extent of the data breach.
Under the settlement (PDF), Blackbaud must pay $6.75 million in penalties, strengthen its data security and improve breach notification practices.
The company is required to keep database backups containing personal information for the minimum extent necessary and then securely dispose of them, implement strong password-related policies, and tighten policies and procedures of security infrastructure.
“Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents,” Attorney General Bonta said.
Related: Tech Support Firms Agree to $26M FTC Settlement Over Fake Services
Related: Google to Purge Billions of Files Containing Personal Data in Settlement of Chrome Privacy Case
Related: US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches
