BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Blackbaud Settles With California for $6.75 Million Over 2020 Data Breach

Blackbaud was ordered to pay $6.75 million to the California Attorney General’s Office over the 2020 data breach.

Fundraising software provider Blackbaud was ordered to pay $6.75 million to the California Attorney General’s Office to settle over poor security practices that led to a ransomware attack and data breach in May 2020.

Blackbaud disclosed the ransomware attack in June 2020 and confirmed the data breach a month later, saying it took steps to ensure that the attackers deleted the stolen information. The company paid a 24 bitcoin ($250,000) ransom.

In October 2020, the company revealed that the attackers had compromised Social Security numbers, bank account details, and login credentials, which were stored unencrypted.

A government investigation into the incident revealed that sensitive information from 13,000 nonprofits, universities, hospitals, and organizations using Blackbaud was compromised in the attack, including the financial, health, and personal information of donors or clients.

Fined $3 million in March 2023, the cloud software provider agreed in October 2023 to a $49.5 million settlement with the attorneys general of 49 states and Washington, D.C.

In January 2024, the Federal Trade Commission (FTC) ordered Blackbaud to develop a comprehensive information security program and to erase all data it no longer needs to provide its services, accusing the company of failing to properly secure data and of downplaying the extent of the incident.

The FTC said that the cloud software provider lacked encryption for sensitive data, failed to properly monitor and segment its network, did not have strong password requirements nor multi-factor authentication, and failed to delete data that it no longer needed.

Last week, California Attorney General Rob Bonta announced a settlement with Blackbaud over these poor security practices leading to the data breach and its misleading statements about its security efforts prior to the incident and the extent of the data breach.

Advertisement. Scroll to continue reading.

Under the settlement (PDF), Blackbaud must pay $6.75 million in penalties, strengthen its data security and improve breach notification practices.

The company is required to keep database backups containing personal information for the minimum extent necessary and then securely dispose of them, implement strong password-related policies, and tighten policies and procedures of security infrastructure.

“Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents,” Attorney General Bonta said.

Related: Tech Support Firms Agree to $26M FTC Settlement Over Fake Services

Related: Google to Purge Billions of Files Containing Personal Data in Settlement of Chrome Privacy Case

Related: US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights