Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should

Amongst the flurry of recent data breaches, a few household names might catch your eye – such as Dickey’s BBQ or Kylie Cosmetics. However, some of the most pervasive and potentially damaging cybersecurity incidents remain largely under the public radar despite their massive reach.

The Blackbaud ransomware attack may prove to be one of the most extensive, complex data breaches of 2020, as the list of affected organizations (and individuals) continues to grow months after the incident was first discovered. One such recent addition is Stetson University.

What is Blackbaud, and Why are so Many Entities Involved?

Blackbaud is one of the world’s largest cloud-based technology vendors that provides services for nonprofits, foundations, corporations, educational institutions and healthcare organizations. Headquartered in Charleston, South Carolina, the company reports over 45,000 customers in over 100 countries, including the United States, the United Kingdom, Australia and Canada. Its market capitalization is $3.2 billion on reported revenue of $908 million.

What Happened?

On May 20, 2020, Blackbaud discovered a hack on its self-hosted environment that allowed the theft of sensitive personal information of client donors, potential donors, patients, community members with relationships with entities and other individuals tied to affected organizations. The security incident began on February 7, 2020 and continued until it was discovered in May.

In mid-August, Blackbaud began notifying clients that were impacted by the ransomware attack. Initially, the vendor claimed that highly confidential data, such as banking information, was not at risk. However, further forensic investigation suggested otherwise for some customers. Blackbaud began updating affected clients of this development on September 27, 2020.

Compromised data varies by entity and collectively includes:

Blackbaud reportedly paid the ransom demand and claims to have obtained confirmation that the stolen data has been destroyed. Unfortunately, according to industry experts, ransomware actors generally cannot be relied on to destroy data as promised, so exposed personal information may still lead to further security issues, including identity theft and fraud.

Who was Affected?

It is unknown how many of Blackbaud’s 45,000 non-profit and government customers were impacted. The largest known client involved in the breach is Inova Health System in Virginia with 1.05 million individuals affected.

Blackbaud clients who have released public statements and/or formal notices of data breach include:

Legal Action

In response to the massive data breach, at least 10 separate class-action lawsuits have been filed against Blackbaud, including in the U.S. District Court of South Carolina, the U.S. District Court Western District of Washington and the California Central District Court. A motion has been filed to consolidate these lawsuits into one.

How do I join a class action suit?

If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.