Blackbaud, a SaaS company, was attacked by ransomware in May 2020, after which it successfully prevented the cybercriminal from blocking access to its system and fully encrypting files, forcing the intruder to flee. The attacker took a copy of a portion of data from its self-hosted private cloud environment and Blackbaud ended up paying a ransom to retrieve the data.
During 2020, Blackbaud incurred $10.4 million in security-related expenses and offset anticipated insurance recoveries of $9.4 million. Following the incident, Blackbaud was hit with approximately 570 claims for reimbursement of expenses from clients or their attorneys.
Those cases were permitted to proceed by a court in July 2021. In February 2022, Blackbaud signed a credit agreement that anticipated up to $50 million of non-recurring legal costs paid in cash linked to the data breach and ransomware assault.
Blackbaud paid the ransomware attackers not long after finding out about the attack. Cybersecurity experts thought that paying the perpetrators was a bad idea.
On July 16th, 2020, a data breach notice was published on their website, stating that ransomware attackers were able to steal and encrypt client data in May.
Blackbaud stated, “Our cybersecurity team – together with independent forensics experts and law enforcement – succeeded in preventing the cybercriminal from blocking our system access and fully encrypting files. Before being locked out of the environment, the cybercriminal removed a copy of a part of data from our self-hosted environment.”
Because Blackbaud is a data processor, it was required to notify the ICO and data control authorities within 72 hours of learning about the breach.
They failed to respond to a request on how many of its customers were impacted, their identities, or when they were all informed when it notified relevant authorities, as well as what strain of ransomware or cybercriminals were involved. That implies Blackbaud’s delay violated GDPR’s requirements by not notifying both regulators and data controllers so that clients were not notified.
While the main responsibility under GDPR for notifying the appropriate data protection authority without delay and, where feasible, not later than 72 hours after becoming aware of a data breach is on the data controller, the data processor is required to notify a data controller without undue delay once it becomes aware of a breach.
Data controllers using Blackbaud should inquire about why the notification was delayed.
Without disclosing the amount, Blackbaud claimed it paid a ransom.
There is no legislation preventing firms from paying ransomware if the money does not come from crypto wallets linked to any known terrorist organizations or other prohibited entities, but cybersecurity experts do not recommend paying a ransom to attackers. This demonstrates that this sort of crime is viable, even if illicit, as long as corporations are willing to pay ransoms.
Because users of Blackbaud’s software engage in fundraising and other forms of benefactor activities, we may infer that they could now become prey for ransomware attackers’ attention and attempted extortion via threatening to expose information about individuals and fundraisers at universities and other organizations.
A class-action lawsuit was filed against Blackbaud in December 2020.
The systems, according to the lawsuit, were “incompetently secured…,” and that Blackbaud did not perform a number of measures to avoid it. The complaint charges that Blackbaud failed to implement adequate security procedures in order to protect customer data.
It also failed to “timely implement adequate and appropriate safeguards” to safeguard the data.
It was ineffective in preventing the breach or detecting it promptly.
It neglected to safeguard the PII and PHI as it had previously promised and represented to do.
Training for ransomware attacks was not adequate.
The victims did not receive any restitution as a result of the data breach.
Blackbaud is a perfect example of why a robust cyber insurance program is necessary for SaaS companies. It is also an example of how third-party cyber risks can come back to bite a company.
SaaS companies should ensure that their insurance policies cover all aspects of a data breach, from notification costs to business interruption to cyber extortion.
Additionally, SaaS companies should have a robust incident response plan in place so that they can rapidly and effectively respond to a data breach.
Work with CoverSaaS to build your SaaS insurance program.