Blackbaud sued after ransomware attack

November 6, 2020

Blackbaud, cloud software provider, has been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the ransomware attack and data breach that the company suffered in May 2020.

According to a BleepingComputer report, Blackbaud announced it had been named as a defendant in 23 putative consumer class action cases: 17 in U.S. federal courts, 4 in U.S. state courts and 2 in Canadian courts), following the data breach that occurred in May of 2020. Blackbaud then noted that "they had discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers."

Blackbaud confirmed they had paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed.

In its 2020 Q3 Quarterly report filed with the U.S. Securities and Exchange Commission (SEC), Blackbaud said, "The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs, and attorneys’ fees, and other related relief."

They also confirmed the U.S. Federal Trade Commission, the U.S. Department of Health and Human Services, the Information Commissioner’s Office in the United Kingdom (ICO), the Office of the Australian Information Commissioner, and the Office of the Privacy Commissioner of Canada have also sent communications, inquires and requests.

Terence Jackson, Chief Information Security Officer at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, notes, “These lawsuits are an example for companies that choose to pay the ransom. There is no guarantee that the attackers did destroy all of the data. It could resurface and pose a risk to the litigants. While there are no magic bullets in cybersecurity to prevent an attack, this should be a call to action for companies that are not investing in their security program to prevent , detect and respond to these types of attacks. In addition to the class action suits, there are government agencies from the United States, United Kingdom, Australia and Canada looking into this incident, which means hefty fines could also be leveraged.”

Maria Henriquez joined Security Magazine in 2019 as its Associate Editor. Since then, she has been covering the security industry and reporting on issues affecting enterprise security leaders, to include cybersecurity, leadership and management, risk and resilience and pressing security challenges facing the industry. Within her role at Security, she works to produce several Special Reports and other stories for the monthly eMagazine, Newswire articles, Web Exclusive features, as well as manage social media, the 5 minutes with series, and the Today’s Cybersecurity Leader and Security enewsletter. She graduated from the University of Illinois at Urbana-Champaign with a bachelor’s in English and Creative Writing.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.