Skip Navigation
  • Robocall Hotline:(844)-8-NO-ROBO
  • All Other Complaints:(877)-5-NO-SCAM
  • Outside NC:919-716-6000
  • En Español:919-716-0058

Attorney General Josh Stein Announces $49.5 Million Multistate Settlement with Blackbaud

For Immediate Release:
Thursday, October 5, 2023

Contact:
Nazneen Ahmed (919) 716-0060

(RALEIGH) Attorney General Josh Stein today announced a $49.5 million settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware attack that exposed the personal information of millions of people across the United States. The North Carolina Department of Justice received 313 security breach notices related to the Blackbaud ransomware attack, which impacted 78,697 North Carolinians. Under the settlement, Blackbaud will also overhaul its data security and breach notification practices. North Carolina will receive $1,181,270.00 that will go toward protecting consumers.

“Blackbaud failed to protect the valuable personal data it had for millions of people and then failed to let people know their information had been stolen,” said Attorney General Josh Stein. “Their actions led to hundreds more data breaches in North Carolina. When we trust companies with our data, they need to responsibly safeguard it.”

Blackbaud provides software to nonprofits, including charities, higher education institutions, K-12 schools, health care organizations, religious organizations, and cultural organizations. Blackbaud’s customers use its software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted more than 13,000 Blackbaud customers and their respective consumer constituents.

Today’s settlement resolves allegations that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized access to Blackbaud’s network, and then failed to notify its customers in a timely manner. As a result, customers whose personal information was exposed were notified late or not at all.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including:

  • Not misrepresenting how it processes, stores, and safeguards personal information, the likelihood that personal information affected by a security incident may be subject to further disclosure, and breach notification requirements under state law and HIPAA.
  • Implementing and maintaining incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
  • Providing appropriate assistance to its customers and supporting customers’ compliance with applicable notification requirements in the event of a breach.
  • Reporting security incidents to the CEO and Board, better training employees, and setting aside appropriate resources and support for cybersecurity.
  • Safeguarding personal information safeguards with total database encryption and dark web monitoring.
  • Putting in specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing.
  • Having its compliance assessed by a third party for seven years.

A ransomware attack could compromise your bank account information, Social Security numbers, and other identifying details. Below are some ways to guard your data and networks against ransomware:

  • Keep your anti-virus and other malware software updated.
  • Back up your data regularly.
  • Make sure you only conduct business on secure networks and through legitimate URLs.
  • Conduct a risk analysis of your network and security systems and conduct your own hacking attempts to find any security gaps.
  • Patch any vulnerabilities in your security system as soon as you identify them.
  • Allow only approved, verified programs and software to run on your computer and networks.
  • Ensure that anyone who has access to your network has been trained on best practices in cybersecurity and knows what to do if a hacking or ransomware incident occurs.
  • Do not click on attachments in phishing emails.

Attorney General Stein is joined in this settlement by the Attorneys General of Alabama, Arizona, Florida, Illinois, and New York, and joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

A copy of the settlement is available here.

###