Blackbaud Ransomware Attack and Data Breach Florida Class Action

In May 2020, a company called Blackbaud, Inc. suffered a ransomware attack and data breach of its systems. This class action has been filed on behalf of people whose information was exposed. Blackbaud managed the servers of schools, healthcare companies, nonprofits, and other organizations. The complaint claims that Blackbaud “secured the Private Information in a reckless manner…” The counts include negligence and breach of express contract, among other things.

The class for this action is all persons in Florida whose private information was compromised in the February through May of 2020 data breach described at
www.blackbaud.com/securityincident.

The individuals who do business with Blackbaud’s clients are required to provide sensitive personal information, which is then stored and secured by Blackbaud. The information includes names, dates of birth, Social Security numbers, credit card and bank account numbers, healthcare and insurance information, photo identification, and other data.

Blackbaud admitted in its 2019 annual report that a data breach would expose it to substantial difficulties and that the security of data as “fundamental” to its business.

Nevertheless, in May 2020, it suffered a ransomware attack that its report later said tried to “disrupt business by locking companies out of their own data and servers.” The report said that after Blackbaud discovered the attack, “our Cyber Security team … successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.”

The report claims that the cybercriminal was still able to “remove[] a copy of a subset of data” but “did not access credit card information, bank account information, or social security numbers.” It said that Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.” It claims that, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly…”

The complaint alleges that the attack actually began much earlier, in February 2020, and went on for around three months.

According to the complaint, Blackbaud did not have “a sufficient process or policies in place to prevent such cyberattack, which is evident by its own statements [shortly after the attack] that it has ‘already implemented changes to prevent this specific issue from happening again.’”

The complaint claims that Blackbaud can’t “rely on the word of data thieves or ‘certificate of destruction’ issued by those same thieves” that they destroyed the information they took or that they did not access Social Security numbers or bank account or credit card numbers. If Blackbaud was certain of that, the complaint says, “it would not have advised its clients to advise affected individuals to monitor accounts for suspicious activity.”

The complaint alleges that Blackbaud has not offered its clients or the affected individuals any remedy, such as credit monitoring. In fact, the company did not notify the clients until July or August of the attack.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Blackbaud Ransomware Attack and Data Breach Florida Complaint

September 11, 2020

In May 2020, a company called Blackbaud, Inc. suffered a ransomware attack and data breach of its systems. This class action has been filed on behalf of people whose information was exposed. Blackbaud managed the servers of schools, healthcare companies, nonprofits, and other organizations. The complaint claims that Blackbaud “secured the Private Information in a reckless manner…” The counts include negligence and breach of express contract, among other things.

Blackbaud Ransomware Attack and Data Breach Florida Complaint

Case Event History

Blackbaud Ransomware Attack and Data Breach Florida Complaint

September 11, 2020

In May 2020, a company called Blackbaud, Inc. suffered a ransomware attack and data breach of its systems. This class action has been filed on behalf of people whose information was exposed. Blackbaud managed the servers of schools, healthcare companies, nonprofits, and other organizations. The complaint claims that Blackbaud “secured the Private Information in a reckless manner…” The counts include negligence and breach of express contract, among other things.

Blackbaud Ransomware Attack and Data Breach Florida Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Failure to Inform Promptly of Data Breach, Ransomware Attack, Your Privacy