A software company targeted in a 2020 ransomware attack that exposed the personal information of hundreds of Oregonians will pay the state’s Department of Justice nearly $656,000.
It’s part of a $50 million settlement between South Carolina-based Blackbaud involving every state in the U.S. and Washington D.C. The data breach affected 13,000 of its customers, including 174 organizations using its software in Oregon, such as the Oregon Institute of Technology’s Oregon Tech Foundation and the University of Oregon Foundation.
Oregon Attorney General Ellen Rosenblum announced Oregon’s share of the settlement Thursday. The money will go to the Oregon Department of Justice to support its investigative, consumer protection and consumer education programs.
Blackbaud sells software that helps schools, nonprofits, religious institutions and health care groups manage data about constituents and donors. This includes storing donor and constituent contact information, demographic information, Social Security and driver’s license numbers along with employment and personal health information. In May 2020, the company was attacked by ransomware and more than 1 million files were stolen, including data from about one-quarter of its clients. The company did not disclose the details of the attack to customers or publicly for two months.
Rosenblum and other state attorneys general alleged the company had poor data security practices that allowed for the ransomware attack and violated state and federal consumer protection and personal health information laws. They said Blackbaud executives downplayed the incident and that the company did not properly or timely notify customers of the breach. Some Blackbaud customers did not get notification that their personal information had been stolen.
“Blackbaud’s misconduct was nothing short of egregious. They showed real disregard for the impact their data breach had on the lives of millions of consumers and nonprofits and failed to live up to well-established legal and ethical standards,” Rosenblum said in a news release.
Earlier this year Blackbaud paid $3 million to the federal Securities and Exchange Commission for making misleading disclosures to the agency in the aftermath of the ransomware attack.
Along with the payout to states, Blackbaud has agreed to overhaul its data security and breach notification practices. The company will also undergo third party assessments of its data security systems to ensure compliance with the terms of the settlement for the next seven years.
Oregon Capital Chronicle
Oregon Capital Chronicle is part of States Newsroom, a network of news bureaus supported by grants and a coalition of donors as a 501c(3) public charity. Oregon Capital Chronicle maintains editorial independence. Contact Editor Lynne Terry for questions: firstname.lastname@example.org. Follow Oregon Capital Chronicle on Facebook and Twitter.