September 16, 2020 – Blackbaud Facing At Least Two More Data Breach Class Actions
Blackbaud, Inc. is the defendant in at least two more proposed class action lawsuits centered on a three-month ransomware attack in which clients’ sensitive information was allegedly held hostage by unauthorized parties demanding Bitcoin payment.
The cases, filed respectively on September 11 in California and Florida federal courts, chide Blackbaud for informing clients—who include, among other notables, Harvard University, Planned Parenthood and National Public Radio—of the data breach in either July or August 2020, months after the incident was discovered.
According to one suit, though Blackbaud initially represented to those affected by the breach that the perpetrator did not access financial information or Social Security numbers, customers have since come to learn the individual in fact accessed everything from credit card and bank account numbers, birthdates, driver’s license numbers, medical details and passport numbers. Of the incident, the suits say Blackbaud has been unacceptably cagey with regard to the specifics.
“Blackbaud has acknowledged that there was an undetected vulnerability that led to the breach,” the California case says. “Blackbaud has refused to provide any further information regarding the undetected vulnerability. Upon information and belief, the undetected vulnerability and subsequent data breach were the result of substandard data security practices.
The Florida complaint charges that Blackbaud’s clients are now at a heightened risk of identity theft and fraud, in particular given the company “cannot reasonably maintain that the data thieves destroyed the subset copy [of stolen data] simply because Defendant paid the ransom and the data thieves confirmed the copy was destroyed.”
September 11, 2020 – Blackbaud Hit with Another Data Breach Class Action
The suit, filed September 4 in South Carolina federal court, claims sensitive information provided to the cloud-based software and data intelligence company by its customers—nonprofits, foundations, educational institutions, healthcare providers and scores of individuals—was illegally exposed to unauthorized third parties in a February 2020 ransomware attack due to Blackbaud’s apparently lax protection measures.
“This Data Breach was a direct result of Blackbaud’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect individuals’ [personally identifiable information] stored in its cloud,” the complaint alleges.
The plaintiff, a member of the University of Wisconsin – Eau Claire community, says the notice he and other community members received about the breach indicated the ransomware attack lasted approximately three months. Those affected by the incident have had to spend, and will continue to exert, significant amounts of time and money to protect themselves from identity theft and fraud, the suit contends.
Blackbaud, Inc. faces a proposed class action centered on a three-month ransomware attack and data breach that affected a number of schools, healthcare companies, non-profits and other organizations whose data and servers were managed by the cloud software provider.
The 36-page lawsuit claims those affected by the incident are now at a heightened risk of identity theft and fraud due to Blackbaud’s “negligent conduct” with regard to safeguarding the sensitive information of thousands of students, patients, doctors and donors.
“In particular, the Private Information was maintained on Defendant’s computer network in a condition vulnerable to cyberattacks,” the suit alleges. “Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiff and Class Members’ Private Information was a known risk to Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.”
In the ordinary course of business, those who deal with Blackbaud are required to provide an array of sensitive, personal and private information the company then stores, maintains and secures, the suit explains. Per the suit, Blackbaud’s clients include non-profits, foundations, corporations, educational and healthcare institutions, and individual parties.
Despite assuring clients that their highly sensitive information would be “comprehensively secured,” Blackbaud found itself subject to a ransomware attack whereby a perpetrator attempted to disrupt business by locking companies out of their own data and servers, the case says.
According to the lawsuit, while the ransomware attack began in February 2020 and lasted until May 2020, it wasn’t until July or August 2020 that Blackbaud notified affected clients.
According to the defendant’s statements, Blackbaud “successfully prevented the cybercriminal from blocking our system access and fully encrypting files” and ultimately locked the third party out of its system. The defendant stated, however, that the individual removed “a copy of a subset of data from our self-hosted environment” before being kicked out, the suit says. Per the case, Blackbaud assured that credit card and bank account information and Social Security numbers were not among the data accessed by the cybercriminal.
The suit notes Blackbaud stated it paid the cybercriminal’s ransom as protecting customers’ data is the company’s “top priority” and demanded confirmation that the copy of the information the individual took from the database had been destroyed. The plaintiff argues, however, that Blackbaud “cannot reasonably rely on the word of data thieves of ‘certificate of destruction’ issued by those same thieves.”
A red flag, the case relays, is that despite claiming financial details and Social Security numbers were not among the compromised information, the defendant, in its notice to those affected by the incident, stressed to “remain vigilent [sic] and [promptly] report suspicious activity or suspected identity theft to the proper authorities.”
“Contrary to the representations in the Notices regarding the type of accessed information, it is believed based on statements by Defendant’s Clients directing Class Members to monitor suspicious activity of their credit and accounts, that Social Security Numbers, credit card numbers, bank account numbers, and additional personally identifiable information … may also have been compromised,” according to the case.
To date, Blackbaud has not offered proposed class members any remedy, including credit monitoring, the suit says.
In all, the lawsuit blames the incident not only on Blackbaud’s alleged failure to properly secure clients’ information but also on its employees’ failure to properly monitor the network and systems that house the data.
“Had Defendant properly monitored their network, security, and communications, it would have discovered the cyberattack sooner or prevented it altogether,” the lawsuit claims, adding that those affected will incur out-of-pocket costs for credit monitoring, credit freezes, and other protective measures.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.