Blackbaud Mulling Lawsuit after Paying Cybercriminals Ransom with Bitcoin
Blackbaud is the premier provider of fundraising and financial services for nonprofits. The company was unfortunately hacked, and a trove of consumer data was put at risk by professional cybercriminals.
The Blackbaud team learned of the intrusion in May 2020. Law enforcement and forensic experts became involved in suspending and haltering the data. During the security break, the Blackbaud team was able to secure user access with encrypted files.
Before this, Blackbaud personnel noticed malicious activity that was occurring internally. The cybercriminals picked up that Blackbaud had closed the data breach, and now they wanted ransom to destroy internal files.
Upon discovery of the data breach, Blackbaud went ahead and paid the cybercriminals ransom money in Bitcoin to destroy the data. The company failed to disclose the amount they paid the criminals in ransom fees.
The criminals were able to obtain a copy of subset data from user activity. However, they did not get the rich treasure trove of consumer data like credit card numbers, bank account numbers, and social security numbers.
Blackbaud is listed on the NASDAQ as a publicly-traded company. Revenues for the year are $908.2 million, with a market cap of $2.7 billion. The stock price is competitive at $54.28; however, the stock price is down 30.8% for the year.
If the company considered the paid ransom a material fact for its financial health, the SEC would require the company to file form K-8. A spokesperson for Blackbaud said no such filing would be made or disclosed.
By stopping the ransomware attack, Blackbaud wants its customers to know that their data and online activity is safe and secure. Their data would not be disseminated or made available to the public. Blackbaud only paid the ransom in Bitcoin when the cybercriminals guaranteed that customers' private data would not be discoverable on the internet and that such data would be destroyed.
For additional security, Blackbaud hired third-party experts to scout the internet and the dark web for any leaked discoverable customer data. So far, no treasure trove of customer data has been released to the public.
However, this has not stopped a new class-action lawsuit from disgruntled customers. Hackers made inroads into the Blackbaud system as early as February 7, 2020. Blackbaud did not discover the security breach until May 14, 2020. Finally, customers were not aware of the security breach until July 2020.
The new class-action lawsuit was filed in the United States District Court of South Carolina in Charleston. According to the plaintiff, William Allen, the security breach has brought irreparable harm to customers in the form of lost time to remedy the unsecured data loss and extra out-of-pocket expenses for identity theft monitoring.
Of course, a spokesperson for Blackbaud disagrees with the class-action lawsuit. The allegations of the lawsuit are unnecessary and unfounded. Any vulnerabilities in the system had been secured. Representatives for Blackbaud said that sensitive personal information like credit card numbers and social security numbers were not exposed.
Cybercriminals remained in contact with Blackbaud until June 18, 2020, but they were unable to access customer data since June 3, 2020. By June 25, 2020, third-party experts gave Blackbaud representatives the risk factors for customer data exposure.
To minimize risk, Blackbaud sent out notices to their customers that they should monitor their bank accounts, credit card accounts, and the opening of new lines of credit with their social security numbers. Private account information may have been compromised. It is a standard procedure to send out notices to customers in a ransomware security breach.
On the other hand, the lawsuit alleges that:
Besides these allegations, Blackbaud expects their customers to take the necessary precautions and pay for credit monitoring services with identity theft insurance with no private compensation from the company.
Allen hopes that the court finds Blackbaud negligent with the invasion of privacy, breach of contract, breach of implied contract, and violation of state security data breach statutes. The plaintiff would like Blackbaud to pay for seven years of identity theft services, real and putative damages, plus attorney fees.
Presently, there is no federal law covering damages for security breaches with consumer protection. North Carolina is considering a bill where companies must pay at least two years of identity theft protection for consumer data breaches.
The Blackbaud team learned of the intrusion in May 2020. Law enforcement and forensic experts became involved in suspending and haltering the data. During the security break, the Blackbaud team was able to secure user access with encrypted files.
Before this, Blackbaud personnel noticed malicious activity that was occurring internally. The cybercriminals picked up that Blackbaud had closed the data breach, and now they wanted ransom to destroy internal files.
Upon discovery of the data breach, Blackbaud went ahead and paid the cybercriminals ransom money in Bitcoin to destroy the data. The company failed to disclose the amount they paid the criminals in ransom fees.
Consumer Subset Data
The criminals were able to obtain a copy of subset data from user activity. However, they did not get the rich treasure trove of consumer data like credit card numbers, bank account numbers, and social security numbers.
Blackbaud is listed on the NASDAQ as a publicly-traded company. Revenues for the year are $908.2 million, with a market cap of $2.7 billion. The stock price is competitive at $54.28; however, the stock price is down 30.8% for the year.
If the company considered the paid ransom a material fact for its financial health, the SEC would require the company to file form K-8. A spokesperson for Blackbaud said no such filing would be made or disclosed.
Ransomware Attacks
By stopping the ransomware attack, Blackbaud wants its customers to know that their data and online activity is safe and secure. Their data would not be disseminated or made available to the public. Blackbaud only paid the ransom in Bitcoin when the cybercriminals guaranteed that customers' private data would not be discoverable on the internet and that such data would be destroyed.
For additional security, Blackbaud hired third-party experts to scout the internet and the dark web for any leaked discoverable customer data. So far, no treasure trove of customer data has been released to the public.
However, this has not stopped a new class-action lawsuit from disgruntled customers. Hackers made inroads into the Blackbaud system as early as February 7, 2020. Blackbaud did not discover the security breach until May 14, 2020. Finally, customers were not aware of the security breach until July 2020.
Class-Action Lawsuit
The new class-action lawsuit was filed in the United States District Court of South Carolina in Charleston. According to the plaintiff, William Allen, the security breach has brought irreparable harm to customers in the form of lost time to remedy the unsecured data loss and extra out-of-pocket expenses for identity theft monitoring.
Of course, a spokesperson for Blackbaud disagrees with the class-action lawsuit. The allegations of the lawsuit are unnecessary and unfounded. Any vulnerabilities in the system had been secured. Representatives for Blackbaud said that sensitive personal information like credit card numbers and social security numbers were not exposed.
Cybercriminals remained in contact with Blackbaud until June 18, 2020, but they were unable to access customer data since June 3, 2020. By June 25, 2020, third-party experts gave Blackbaud representatives the risk factors for customer data exposure.
To minimize risk, Blackbaud sent out notices to their customers that they should monitor their bank accounts, credit card accounts, and the opening of new lines of credit with their social security numbers. Private account information may have been compromised. It is a standard procedure to send out notices to customers in a ransomware security breach.
On the other hand, the lawsuit alleges that:
- Blackbaud failed to notify customers of the data breach in a timely manner.
- Blackbaud failed to secure the network to prevent ransomware attacks.
- Employees did not properly monitor the network for secure communications.
- Management did not train employees about ransomware attacks.
- Representatives cannot assume that the cybercriminals destroyed subset data.
Besides these allegations, Blackbaud expects their customers to take the necessary precautions and pay for credit monitoring services with identity theft insurance with no private compensation from the company.
Allen hopes that the court finds Blackbaud negligent with the invasion of privacy, breach of contract, breach of implied contract, and violation of state security data breach statutes. The plaintiff would like Blackbaud to pay for seven years of identity theft services, real and putative damages, plus attorney fees.
Presently, there is no federal law covering damages for security breaches with consumer protection. North Carolina is considering a bill where companies must pay at least two years of identity theft protection for consumer data breaches.