[BreachExchange] Blackbaud Faces Class Action Lawsuit After Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Aug 28 10:41:56 EDT 2020


https://www.thenonprofittimes.com/npt_articles/blackbaud-faces-class-action-lawsuit-after-data-breach/

A petition for a class action lawsuit against software and data
services giant Blackbaud has been filed with the United States
District Court District of South Carolina in Charleston after a system
breach exposed donor data to hackers. The suit stems from a data
breach which happened on Feb. 7 and was not discovered by the company
until May 14. Users were not notified until July, as reported
exclusively by The NonProfit Times.

Blackbaud provides a variety of data services and software to the
nonprofit community. The incident was in the form of a ransomware
attack in which hackers downloaded information and attempted to wrest
control of Blackbaud’s systems and data hosting operations. They
demanded payment for the destruction of the stolen material. Blackbaud
paid an undisclosed amount in Bitcoin, as reported first by The
NonProfit Times on July 16.

According to papers filed with the United States District Court
District of South Carolina by William Allen, sworn to be a Raleigh,
N.C., resident, the incident has resulted in consumers experiencing
“ascertainable losses in the form of out-of-pocket expenses and the
value of their time reasonably incurred to remedy or mitigate the
effects of the attack.”

Asked for reaction to the suit, a Blackbaud spokesperson said,
“Blackbaud disagrees with the allegations and intends to demonstrate
they are without merit.” Further comment was declined.

The criminals’ attempts to access and control the date ended by June
3, although they remained in contact with Blackbaud until at least
June 18, Blackbaud spokespeople told The NonProfit Times in early
August. On June 25, third-party forensic assessor gave Blackbaud a
report regarding clients’ potential exposure.

Blackbaud also said the vulnerability exploited by the ransom
demanders had been fixed, and there was no additional risk of
information exposure between the start of its investigation and
customer notification. Blackbaud representatives have asserted bank
account information, credit card information and social security
numbers were not accessed.

According to the request for class action certification, notifications
sent out by Blackbaud advised those potentially affected “to monitor
suspicious activity of their credit and accounts, that Social Security
Numbers, credit card numbers, bank account numbers, and additional
personally identifiable information (collectively ‘Private
Information’) may also have been compromised.” Such language is
standard for data security breach notifications.

Blackbaud representatives have asserted bank account information,
credit card information and social security numbers were not accessed.

Allen’s complaint alleges Blackbaud did not provide timely
notification of the breach, both due to Blackbaud’s alleged failures
in discovering the breach and sealing it. The papers further assert
Blackbaud and its employees failed to properly monitor its network,
security and communications, failed to implement secure communications
policies and failed to train employees regarding ransomware attacks.

According to the complaint, “Plaintiff and Class Members’ identities
and Private Information are now at risk because of Defendant’s
negligent conduct as the Private Information that Defendant collected
and maintained was in the hands of data thieves. Defendant cannot
reasonably maintain that the data thieves destroyed the subset copy
simply because Defendant paid the ransom and the data thieves
confirmed the copy was destroyed.”

Additionally, in Blackbaud’s data breach notifications to clients and
consumers, the company advised clients and consumers to monitor their
credit and other account activity for suspicious activity, such as
unauthorized charges or identity theft, without compensation for the
cost of credit monitoring services, time lost monitoring accounts,
stress resulting from the breach.

While Allen’s claim asserts a higher likelihood of identity theft and
other difficulties, it does not document any actual fiscal damage. The
court papers petition for redress for the plaintiff and all class
members as a result of several actions, including: negligence;
wrongful intrusion into private affairs/invasion of privacy; breach of
express contract; breach of implied contract; negligence per se; and
violation of state data breach statues. The last stems from
allegations of flawed data security procedures and lack of timeliness
in notification practices.

In addition to certification as a class action, the plaintiff seeks to
compel Blackbaud to increase its data security practices in
unspecified way, to change practices that led to the breach, to pay
for both actual and punitive damages and to pay attorneys’ fees and
costs.

Allen also seeks a minimum of seven years of credit monitoring
services for the entire class.

There is currently no federal law covering data breach consumer
protections. A bill currently being considered by the North Carolina
legislation, H.B. 904, calls for the companies subject to data
breaches to provide two years’ credit monitoring, unless the affected
company is a credit monitoring firm, in which case it must provide
four years’ credit monitoring.


More information about the BreachExchange mailing list