Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should

blackbaud ransomware attackAmongst the flurry of recent data breaches, a few household names might catch your eye – such as Dickey’s BBQ or Kylie Cosmetics. However, some of the most pervasive and potentially damaging cybersecurity incidents remain largely under the public radar despite their massive reach.

The Blackbaud ransomware attack may prove to be one of the most extensive, complex data breaches of 2020, as the list of affected organizations (and individuals) continues to grow months after the incident was first discovered. One such recent addition is Stetson University.

What is Blackbaud, and Why are so Many Entities Involved?

Blackbaud is one of the world’s largest cloud-based technology vendors that provides services for nonprofits, foundations, corporations, educational institutions and healthcare organizations. Headquartered in Charleston, South Carolina, the company reports over 45,000 customers in over 100 countries, including the United States, the United Kingdom, Australia and Canada. Its market capitalization is $3.2 billion on reported revenue of $908 million.

What Happened?

On May 20, 2020, Blackbaud discovered a hack on its self-hosted environment that allowed the theft of sensitive personal information of client donors, potential donors, patients, community members with relationships with entities and other individuals tied to affected organizations. The security incident began on February 7, 2020 and continued until it was discovered in May.

In mid-August, Blackbaud began notifying clients that were impacted by the ransomware attack. Initially, the vendor claimed that highly confidential data, such as banking information, was not at risk. However, further forensic investigation suggested otherwise for some customers. Blackbaud began updating affected clients of this development on September 27, 2020.

Compromised data varies by entity and collectively includes:

  • Names
  • Phone numbers
  • Addresses
  • Birthdates
  • Donation history
  • Events attended
  • Bank account information
  • Credentials
  • Social Security numbers (SSN)
  • Usernames
  • Passwords
  • Provider names
  • Dates of service

Blackbaud reportedly paid the ransom demand and claims to have obtained confirmation that the stolen data has been destroyed. Unfortunately, according to industry experts, ransomware actors generally cannot be relied on to destroy data as promised, so exposed personal information may still lead to further security issues, including identity theft and fraud.

Who was Affected?

It is unknown how many of Blackbaud’s 45,000 non-profit and government customers were impacted. The largest known client involved in the breach is Inova Health System in Virginia with 1.05 million individuals affected.

Blackbaud clients who have released public statements and/or formal notices of data breach include:

  • American Red Cross
  • Atrium Health
  • Berkshire Farm Center & Services for Youth, Inc.
  • Burke Rehabilitation Hospital
  • Cancer Research Institute
  • Children’s Hospital of Pittsburgh Foundation
  • Corning Glass Museum of Glass, New York
  • Devereux Advanced Behavioral Health
  • Enloe Medical Center
  • Feed More, Virginia
  • George W. Bush Presidential Center
  • Guthrie Clinic
  • Harvard University
  • Human Rights Watch
  • Inova Health System, Virginia
  • Joslin Diabetes Center
  • Main Line Health
  • March of Dimes
  • Middlebury College, Vermont
  • Montefiore Medical Center
  • MultiCare Foundation
  • New College of Florida
  • Northern Light Foundation, Maine
  • NorthShore University Health System, Illinois
  • Northwest Immigrant Rights Project
  • Northwestern Memorial HealthCare
  • Parrish Art Museum, New York
  • Planned Parenthood
  • Prelude Behavior Services
  • Rady Children’s Hospital, San Diego
  • Rhode Island School of Design
  • Roper St. Francis Healthcare
  • Saint Luke’s Foundation
  • St. Joseph School
  • Smithsonian Institution
  • Spectrum Health
  • Stetson University
  • The Boy Scouts of America
  • The Christ Hospital Health Network
  • Trinity Health
  • University of Kentucky HealthCare
  • University of North Florida
  • Vermont Foodbank
  • Vermont Public Radio
  • West Virginia University
  • White Plains Hospital

Legal Action

In response to the massive data breach, at least 10 separate class-action lawsuits have been filed against Blackbaud, including in the U.S. District Court of South Carolina, the U.S. District Court Western District of Washington and the California Central District Court. A motion has been filed to consolidate these lawsuits into one.

How do I join a class action suit?

If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.