Cloud software provider Blackbaud has agreed to a $49.5 million settlement with 49 U.S. state attorneys general over its 2020 ransomware attack. The investigation found the company failed to implement reasonable data security measures, misrepresented the scope of the breach, and failed to notify victims in a timely manner.
Business Impact
This settlement, years after the incident, demonstrates the massive, long-tail financial and reputational cost of a breach, especially if the response is mismanaged. The fine is not just for the breach itself, but for the company’s failure in transparency and security diligence.
Why It Happened
The company was found to have failed in basic security practices, such as properly segmenting its network, securely deleting old data, and implementing appropriate intrusion detection. This allowed attackers to exfiltrate a massive amount of unencrypted data from its non-profit and university clients.
Recommended Executive Action
Use this as a case study for your board. Ensure your incident response plan includes clear, accurate, and timely communication protocols co-developed with legal counsel. This proves that the post-breach response can be as costly as the breach itself if handled improperly.
Hashtags: #DataBreach #Blackbaud #Ransomware #Compliance #CyberLaw #InfoSec #CyberSecurity #GRC