Blackbaud sued in 23 class action lawsuits after ransomware attack

Leading cloud software provider Blackbaud has been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the ransomware attack that the company suffered in May 2020.

Blackbaud has operations in countries around the world including the United States, the United Kingdom, Australia, and Canada.



The ransomware attack directly responsible for the software provider being sued was disclosed by the company on July 16, 2020.

The organizations impacted by the ransomware attack on Blackbaud include a long list of entities such as charities, non-profits, foundations, and universities from the U.S., Canada, the U.K., and the Netherlands.

The company said that it managed to block the attackers from completely encrypting its systems but not before stealing "a copy of a subset of data" from a self-hosted environment.

Blackbaud paid the ransom requested by the attackers after they confirmed that the stolen data was destroyed.

Lawsuits and data regulator inquiries
Blackbaud today confirmed that it has been named as a defendant in 23 putative class suits linked to the May ransomware attack in its 2020 Q3 Quarterly report filed with the U.S. Securities and Exchange Commission (SEC).

"To date, we have been named as a defendant in 23 putative consumer class action cases (17 in U.S. federal courts, 4 in U.S. state courts and 2 in Canadian courts) alleging harm from the Security Incident," Blackbaud said.

"The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs, and attorneys’ fees, and other related relief."

The cloud software provider has also received roughly 160 claims related to the ransomware attack from customers and/or their attorneys in the U.S., U.K., and Canada.

Inquiries into the attack have also been made by government agencies and data regulators including a multi-state, consolidated Civil Investigative Demand issued on behalf of 43 state Attorneys Generals and the District of Columbia.


Additionally, the U.S. Federal Trade Commission, the U.S. Department of Health and Human Services, the Information Commissioner’s Office in the United Kingdom (ICO), the Office of the Australian Information Commissioner, and the Office of the Privacy Commissioner of Canada have also sent communications, inquires and requests.

"We may be named as a party in additional lawsuits, other claims may be asserted by or on behalf of our customers or their constituents, and we may be subject to additional governmental inquires, requests or investigations," Blackbaud added.

"Governmental authorities also may seek to impose undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, materially increase our data security costs or otherwise require us to alter how we operate our business."

Expenses, exposed data, and security risks
Blackbaud had to spend over $3 million to deal with the attack's aftermath between July and September, and it also recorded almost $3 million in accrued insurance recoveries during the same time period.

The cloud software provider also expects to deal with increased costs coming from the ongoing response following the attack and the efforts to boost security defenses.

"In the three months ended September 30, 2020, we recorded $3.2 million of expenses and $2.9 million of accrued insurance recoveries related to the Security Incident, and in the nine months ended September 30, 2020, we recorded $3.6 million of expenses and $2.9 million of accrued insurance recoveries related to the Security Incident," the company said.

Last month, Blackbaud also confirmed in an 8-K SEC filing that the threat actors behind the May ransomware attack were able to gain access to some customers' unencrypted banking information, login credentials, and social security numbers.

Depending on what ransomware gang stole this data, its willingness to actually destroy it as promised after receiving the ransom money, and what it will do with it if it wasn't destroyed, Blackbaud customers may have to deal with a large array of security risks given the highly sensitive nature of the exposed information.

Over 20 ransomware operations are known for stealing sensitive documents from their victims' servers before encrypting network systems.

Maze ransomware operators, who just announced yesterday that they shut down operations, were the first ransomware gang known to publish Allied Universal's stolen data for not paying the ransom in November 2019.