[BreachExchange] Class Action Lawsuit Questions Blackbaud's Hacker Payoff

[Destry Winant]

https://www.databreachtoday.com/class-action-lawsuit-questions-blackbauds-hacker-payoff-a-14922

Filing a class action lawsuit against a business that has suffered a
data breach is a common occurrence.

Increasingly, however, ransomware is becoming part of the mix, owing
to gangs first exfiltrating data and then threatening to leak it if
victims don't pay a ransom (see: Ransomware + Exfiltration + Leaks =
Data Breach).

Ransomware adds a further wrinkle to the data breach discussion and
potential legal ramifications for breached organizations: A growing
number of organizations hit by ransomware have said that they were
able to wipe and restore systems from backups, but they paid a ransom
to their attackers anyway in return for a promise that they would
delete all of the stolen data and not provide or sell it to anyone
else first.

Blackbaud first revealed that it was hit by ransomware-wielding
attackers who also stole data in this July 16, 2020, data breach
notification (click to enlarge).

Can thieves be trusted to honor such promises? That's one question
posed by a lawsuit seeking class action status filed against South
Carolina-based Blackbaud. The publicly traded firm, which provides
cloud-based marketing, fundraising and customer relationship
management software used by thousands of charities, universities,
healthcare organizations and others, suffered a data exfiltration and
ransomware attack in May.

Questions persist about the Blackbaud breach because the company
detected the intrusion in May but only notified customers beginning in
July. The list of victims includes organizations in Europe, meaning
Blackbaud must comply with the EU's General Data Protection
Regulation, which requires that regulators be informed within 72 hours
of any breach about the details of what happened and what was stolen.
Blackbaud has yet to respond to Information Security Media Group's
request to clarify when it first notified European regulators (see:
Blackbaud's Bizarre Ransomware Attack Notification).

'We Paid the Cybercriminal's Demand'

In its breach notification, Blackbaud notes that it paid a ransom to
secure a promise from attackers that they would delete all stolen
data.

"Prior to our locking the cybercriminal out, the cybercriminal removed
a copy of a subset of data from our self-hosted environment,"
Blackbaud states in its breach notification. "The cybercriminal did
not access credit card information, bank account information or Social
Security numbers. Because protecting our customers' data is our top
priority, we paid the cybercriminal's demand with confirmation that
the copy they removed had been destroyed."

Following the breach notification, Blackbaud was hit on Aug. 12 by a
lawsuit seeking class action status, filed by Whitfield Bryson & Mason
LLP on behalf of U.S. resident William Allen, whose "private
information was compromised as a direct and proximate result of the
data breach."

The lawsuit seeks, in part, seven years of prepaid identity theft
monitoring for victims. It alleges that the company's security
defenses were inadequate and that attackers may have compromised
massive quantities of PII, including Social Security, credit card and
bank account numbers.

One of the firm's attorneys, Matthew Lee, tells ABC affiliate WFTS in
Florida that tens of thousands of individuals could have had their PII
compromised and may thus be at life-long risk of identity theft.

The lawsuit also calls out the company's mention of paying attackers
as a way to try and safeguard victims. "To believe basically a
criminal who's hacked into your system that they have stood by their
word and deleted the information, I don't think that cuts it," Lee
told WFTS.

Excerpt from the lawsuit against Blackbaud

Most Data Breach Lawsuits (Still) Fail

Many data breaches trigger lawsuits alleging that the breached
organization had poor security controls and that victims are due
compensation. But at least in the U.S., very few of these lawsuits
succeed. Legal experts say that's because many courts have held that
victims must suffer harm, and such harm can only be demonstrated by
financial loss (see: Why So Many Data Breach Lawsuits Fail).

Lawsuit filed by William Allen against Blackbaud on Aug. 12, 2020

"In pure privacy violations, courts have been reluctant to find
compensable harm to data breach victims as the result of mere exposure
of certain types of personal information, because the victim can't
show any actual harm as a result, as opposed to theoretical harm -
fear that at some point in the future, I might have my identity
stolen," says attorney Mark Rasch, who's of counsel to the law firm of
Kohrman, Jackson & Krantz, who is not involved in the case.

"If you look at the history of data breaches, the early breaches were
of credit card information, and the harm was that someone would steal
money from the account and you'd be liable for it," he tells
Information Security Media Group.

States' data breach notification laws are designed to ensure affected
consumers are notified so they can take steps to safeguard their PII.

But banks or credit card companies are now often the first ones to
spot a breach - because they see a series of unusual charges across
cards - after which they'll cancel cards and issue new ones. Card
issuers will typically reimburse any fraud that results. "So the
mitigation has already happened before the breach notification," Rasch
says.

Many breached organizations will also offer at least a year of prepaid
identity theft monitoring services, if credit card, Social Security
numbers or other data that might be used for identity theft purposes
was exposed.

That doesn't stop numerous lawsuits from alleging privacy violations.
But in the U.S., harm requires showing a financial loss, and privacy
has no dollar value (see: Ashley Madison: The Impact of Some Data
Breaches Is Forever).

"The fact that we don't assign a dollar value to privacy [means] we
don't value privacy," Rasch says.

Blackbaud Focused on Mitigation

What about the lawsuit's strategy of attempting to blame Blackbaud for
paying a ransom to attackers to try to safeguard stolen data? Rasch
says that action might actually work in Blackbaud's favor because it
shows the company took deliberate steps to try to manage the incident
and mitigate its impact, rather than something nefarious, like trying
to cover it up.

"They didn't ... pay the hackers for their silence; they paid the
hackers to delete and wipe and validate the deletion and wiping of the
data - and that's not necessarily an unreasonable thing to do," Rasch
says. "I don't know how much you can believe them or credit them, but
even so, you know you're not paying for silence; you're paying for
mitigation."