Cloud provider Blackbaud will pay $49.5 million for its security negligence

A three-year investigation into the data leak has produced a conclusion.

A lengthy investigation into the cyber incident that involved Blackbaud, one of the top cloud service providers, in May 2020 is now complete. The business and the solicitors general of 49 US states have come to a $49.5 million payment agreement.

Blackbaud specializes in offering cloud computing software solutions for non-profit organizations, including charities, schools, and hospitals, with a focus on managing donor databases.

More than 13,000 Blackbaud business clients and their customers in the US, Canada, the UK, and the Netherlands had highly sensitive data that was compromised in the data breach in July 2020. The attackers took unencrypted banking information, login credentials, and social security numbers during the attack. Blackbaud paid the ransom after the attackers asserted that all stolen data had been destroyed.

The company was accused of breaking HIPAA, breach notification, and consumer protection laws, which were all addressed by the $49.5 million settlement.

In accordance with the agreement, Blackbaud will:

1. Create and keep an incident response plan for security;
2. When a security breach occurs, give its clients the proper assistance;
3. Improve employee training and notify your CEO and board of directors of any security incidents;
4. Enact measures to protect the security of personal data, such as full database encryption and monitoring of the dark web;
5. Network segmentation, patch management, firewalls, intrusion detection, access control, logging and monitoring, and penetration testing can all be used to strengthen security;
6. For a period of seven years, permit outside parties to assess the company's adherence to the terms of the contract.

Blackbaud stated that at least 43 state and the District of Columbia solicitors general were looking into the incident in its Q3 2020 report. By November 2020, 23 lawsuits had been filed in the US and Canada to set up consumer class actions pertaining to the security incident.

Additionally, the business consented to pay $3 million to resolve claims made by the Securities and Exchange Commission (SEC) that it failed to disclose the full extent of the 2020 cyberattack. As a result, key information about the full extent of the breach was left out of the SEC report, and the risks associated with unauthorized parties accessing private donor information were downplayed and described as hypothetical.