Page last updated on June 18, 2024
BLACKBAUD INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2020-09-29 16:07:27 EDT.
Incident Details
Material: Unknown
Is Breach: TRUE
Records Compromised: 13,000
Data Types Impacted: Educational information, Salary, Employment information, Donation history, Spouse name, Marital status, Religious beliefs, Gender, Reasons for seeking medical treatment, Medical visit dates, Health insurance information, Physician names, Patient medical identifiers, Identified personal assets, Estimated wealth, Age, Phone Number, Date of Birth, Bank account number, Home address, Social Security Number, Name, Email, Password, Username
Compromised Date: 2020-02-07
Detected Date: 2020-05-16
Disclosure Date: 2022-07-16
Contained Date:
Recovered Date:
Attack Goal: Theft
Costs: $52.735M
- Ransom (Direct): $235K - Paid 24 Bitcoin ransom.
- Regulatory fines (Direct): $49.5M - Settlement with 49 States (excluding California) and District of Columbia.
- Regulatory fines (Direct): $3M - SEC settlement for misleading cybersecurity incident disclosure.
Filings
8-K filed on 2020-09-29
BLACKBAUD INC filed an 8-K at 2020-09-29 16:07:27 EDT
Accession Number: 0001280058-20-000044
Item 7.01 Regulation FD Disclosure.
As previously reported in our Quarterly Report on Form 10-Q for the quarter ended June 30, 2020, on July 16, 2020, we contacted certain customers to inform them about a recent security incident (the “Security Incident”). This information disclosed that in May 2020 we discovered and stopped a ransomware attack. Our Cyber Security team-together with independent forensics experts and law enforcement-successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment.
After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.
We expect our Security Incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.
8-K filed on 2023-03-09
BLACKBAUD INC filed an 8-K at 2023-03-09 17:28:11 EST
Accession Number: 0001280058-23-000010
Item 7.01 Regulation FD Disclosure.
Blackbaud, Inc. (the “Company”) has reached a settlement with the United States Securities and Exchange Commission (the “SEC”) in connection with the Company’s previously disclosed 2020 security incident, in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed SEC investigation of the Security Incident and is further described in an SEC cease-and-desist order (the “SEC Order”). Under the terms of the SEC Order, the Company has agreed to cease-and-desist from committing or causing any violations or any future violations of Sections 17(a)(2) and (3) of the Securities Act of 1933, as amended (the “Securities Act”), and Section 13(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), and Rules 12b-20, 13a-13 and 13a-15(a) thereunder. No other violations of the securities laws are alleged in the SEC Order. As part of the SEC Order, the Company has also agreed to pay a civil penalty in the amount of $3,000,000. The Company has consented to the entry of the SEC Order without admitting or denying the findings of the SEC Order, other than with respect to the SEC’s jurisdiction over the Company and the subject matter of the SEC Order. The SEC Order describing the settlement is furnished herewith as Exhibit 99.1 and the SEC’s press release announcing this resolution is furnished herewith as Exhibit 99.2.
Exhibit No. 99.1
Exhibit No. 99.2
SEC press release dated March 9, 2023
8-K filed on 2023-10-05
BLACKBAUD INC filed an 8-K at 2023-10-05 08:07:48 EDT
Accession Number: 0001280058-23-000040
Item 8.01 Other Events.
On October 5, 2023, Blackbaud, Inc. (“Blackbaud” or the “Company”) entered into separate, substantially similar Assurances of Voluntary Compliance or Assurances of Discontinuance with each of 49 state Attorneys General and the District of Columbia (collectively, the “Administrative Orders”) relating to the previously announced 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multistate Investigation”), which is further described in the substantially similar Administrative Orders filed today in each of the 49 states and the District of Columbia.
Under the terms of the Administrative Orders, the Company has agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to Blackbaud customers or the individuals whose data is stored by the Company concerning (a) the extent to which Blackbaud protects the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools.
As part of the Administrative Orders, the Company also has agreed to pay a total of $49.5 million to the 49 states and District of Columbia. The Company expects to pay the full settlement amount to each state and the District of Columbia in October 2023 from its existing liquidity. This amount was fully accrued as a contingent liability in the Company’s financial statements as of June 30, 2023.
The Company has entered into the Administrative Orders without admitting fault of liability in connection with the matters subject to the Multistate Investigation.
The foregoing description is qualified in its entirety by reference to the full text of the form of Administrative Order attached hereto as Exhibit 99.2 and incorporated by reference herein.
As previously disclosed, the Office of the Attorney General of the State of California did not participate in the Multistate Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved. Although the Company is hopeful that it can resolve this matter on acceptable terms, there is no assurance that it will be able to do so on terms acceptable to the Company and to the State of California.
Exhibit No. 99.1
Press release dated October 5, 2023, announcing the Administrative Orders
Exhibit No. 99.2
SEC Form of Administrative Order
8-K filed on 2024-02-02
BLACKBAUD INC filed an 8-K at 2024-02-02 16:13:02 EST
Accession Number: 0001140361-24-005318
Item 8.01 Other Events.
On February 1, 2024, the U.S. Federal Trade Commission (the “FTC”) announced its approval of a settlement with Blackbaud, Inc. (the “Company”) relating to the previously announced 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). When finalized, this settlement will fully resolve the previously disclosed FTC investigation relating to the Security Incident, which is further described in the FTC’s complaint and proposed order.
Under the terms of the FTC’s proposed order, the Company has agreed to certain conditions, which are reflected in their entirety in the FTC’s proposed order. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment.
The Company has agreed to the FTC’s proposed order without admitting or denying any of the allegations in the FTC’s complaint, except as expressly stated otherwise in the FTC’s proposed order.
The foregoing description is qualified in its entirety by reference to the full text of the form of the FTC’s proposed order attached hereto as Exhibit 99.2 and incorporated by reference herein.
Exhibit No. 99.1
Press release dated February 2, 2024 announcing the FTC’s proposed order.
Exhibit No. 99.2
8-K filed on 2024-05-16
BLACKBAUD INC filed an 8-K at 2024-05-16 16:09:08 EDT
Accession Number: 0001280058-24-000042
Item 7.01 Regulation FD Disclosure.
As previously disclosed, Blackbaud, Inc. (the “Company”) is a defendant in putative consumer class action cases in U.S. federal courts, which have been consolidated under multi district litigation to a single federal court, the United States District Court for the District of South Carolina Columbia Division (the “Court”) (Case No.:3:20-mn-02972-JFA) alleging harm from a 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). The plaintiffs in this case, who purport to represent various classes of individual constituents of the Company’s customers, generally claim to have been harmed by alleged actions and/or omissions by the Company in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees and other related relief.
On May 14, 2024, the Court issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs’ motion for class certification because of the plaintiffs’ failure to meet their burden of proof as to ascertainability, (2) granting the Company’s motion to exclude the multi district litigation plaintiffs’ expert on the issue of ascertainability, and (3) denying the multi district litigation plaintiffs’ motion to exclude the Company’s expert on the issue of ascertainability. Further, the Court denied as moot all other pending motions. The Court’s determination as to these motions is subject to potential appeal to the Fourth Circuit Court of Appeals (the “Fourth Circuit”), and this litigation remains ongoing without regard to whether any such appeal is sought by the plaintiffs or granted by the Fourth Circuit.
For additional information regarding the Company’s customer constituent class actions or other matters related to the Security Incident, see the Company’s most recently filed Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on May 1, 2024.
The information set forth in this Item 7.01 of this Current Report on Form 8-K shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act, regardless of any general incorporation language in such filing, unless expressly incorporated by reference in such filing.
8-K filed on 2024-06-14
BLACKBAUD INC filed an 8-K at 2024-06-14 16:17:01 EDT
Accession Number: 0001280058-24-000048
Item 8.01 Other Events.
On June 13, 2024, Blackbaud, Inc. (“Blackbaud” or the “Company”) agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the “Final Judgment”) relating to the previously disclosed 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the last remaining U.S. state attorney general investigation into the Security Incident.
Under the terms of the settlement, the Company has agreed to comply with applicable laws; not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters; and to implement and improve certain cybersecurity programs and tools. The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as previously disclosed.
As part of the settlement, the Company also agreed to pay a total of $6.75 million to the State of California. This amount was fully accrued as a contingent liability in the Company’s financial statements as of March 31, 2024.
By agreeing to the Final Judgment, Blackbaud has denied wrongdoing or liability of any kind. Nothing contained in the Final Judgment is intended to be, and shall not in any event be construed or deemed to be, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Blackbaud or any fact or violation of law, rule, or regulation.
The foregoing description is qualified in its entirety by reference to the full text of the Final Judgment attached hereto as Exhibit 99.1 and incorporated by reference herein.
Exhibit No. 99.1
Company Information
Name | BLACKBAUD INC |
CIK | 0001280058 |
SIC Description | Services-Prepackaged Software |
Ticker | BLKB - Nasdaq |
Website | |
Category | Large accelerated filer |
Fiscal Year End | December 30 |