Blackbaud Settles Ransomware Breach Case For $49.5m

Written by

Software provider Blackbaud has reached a multimillion-dollar agreement with 49 states over charges connected to a massive 2020 ransomware breach which impacted 13,000 non-profit customers.

Blackbaud first revealed the incident in July 2020, but attorneys general in dozens of US states subsequently took legal action against the firm after claiming it had concealed the extent of the breach and the volume of records taken.

These included Social Security numbers, healthcare information and financial details related to donors of many of Blackbaud’s charity customers. Over one million files were ultimately compromised by threat actors in the breach.

The South Carolina-based firm, which produces software to help non-profits raise funds and manage data, paid its extortionists in return for ‘assurances’ that they had deleted the stolen data. It’s a move that was heavily criticized by security experts at the time, as there’s a strong probability in such cases that threat actors may end up monetizing the data in any case.

Blackbaud has already been forced to settle in a separate case, paying $3m to the SEC after the regulator alleged that the firm’s staff had misled investors about the impact of the ransomware breach.

Read more on Blackbaud: Blackbaud Breach Hits Nine More Universities.

Under the terms of the new agreement, Blackbaud will accept no wrongdoing for the incident. However, it has agreed to fortify its data security, improve customer notification if another breach occurs and have a third party assess compliance with the terms of the settlement for a seven-year period.

The settlement funds will be paid by the end of October.

Among Blackbaud’s extensive client list, compromised organizations included hospitals, charities, religious organizations and numerous universities both in and outside the US.

These include University College Oxford, the University of London, Canada’s Ambrose University, the University of York, the Rhode Island School of Design, Human Rights Watch and mental health charity Young Minds.

Editorial image credit: Pavel Kapysh /

What’s hot on Infosecurity Magazine?