Blackbaud, cloud software provider, has been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the ransomware attack and data breach that the company suffered in May 2020.

According to a BleepingComputer report, Blackbaud announced it had been named as a defendant in 23 putative consumer class action cases: 17 in U.S. federal courts, 4 in U.S. state courts and 2 in Canadian courts), following the data breach that occurred in May of 2020. Blackbaud then noted that "they had discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers."

Blackbaud confirmed they had paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed.

In its 2020 Q3 Quarterly report filed with the U.S. Securities and Exchange Commission (SEC), Blackbaud said, "The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs, and attorneys’ fees, and other related relief."

They also confirmed  the U.S. Federal Trade Commission, the U.S. Department of Health and Human Services, the Information Commissioner’s Office in the United Kingdom (ICO), the Office of the Australian Information Commissioner, and the Office of the Privacy Commissioner of Canada have also sent communications, inquires and requests.

Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes, “These lawsuits are an example for companies that choose to pay the ransom.  There is no guarantee that the attackers did destroy all of the data. It could resurface and pose a risk to the litigants. While there are no magic bullets in cybersecurity to prevent an attack, this should be a call to action for companies that are not investing in their security program to prevent , detect and respond to these types of attacks. In addition to the class action suits, there are government agencies from the United States, United Kingdom, Australia and Canada looking into this incident, which means hefty fines could also be leveraged.”