Page last updated on April 11, 2024
BLACKBAUD INC initially disclosed a cybersecurity incident in an SEC 8-K filing on 2020-09-29 16:07:27 EDT.
Incident Details
Material: Unknown
Is Breach: TRUE
Records Compromised: 13,000
Data Types Impacted: Educational information, Salary, Employment information, Donation history, Spouse name, Marital status, Religious beliefs, Gender, Reasons for seeking medical treatment, Medical visit dates, Health insurance information, Physician names, Patient medical identifiers, Identified personal assets, Estimated wealth, Age, Phone Number, Date of Birth, Bank account number, Home address, Social Security Number, Name, Email, Password, Username
Compromised Date: 2020-02-07
Detected Date: 2020-05-16
Disclosure Date: 2022-07-16
Contained Date:
Recovered Date:
Attack Goal: Theft
Costs: $52.735M
- Ransom (Direct): $235K - Paid 24 Bitcoin ransom.
- Regulatory fines (Direct): $49.5M - Settlement with 49 States (excluding California) and District of Columbia.
- Regulatory fines (Direct): $3M - SEC settlement for misleading cybersecurity incident disclosure.
Filings
8-K filed on 2020-09-29
BLACKBAUD INC filed an 8-K at 2020-09-29 16:07:27 EDT
Accession Number: 0001280058-20-000044
Item 7.01 Regulation FD Disclosure.
As previously reported in our Quarterly Report on Form 10-Q for the quarter ended June 30, 2020, on July 16, 2020, we contacted certain customers to inform them about a recent security incident (the “Security Incident”). This information disclosed that in May 2020 we discovered and stopped a ransomware attack. Our Cyber Security team-together with independent forensics experts and law enforcement-successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system. Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted (private cloud) environment.
After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.
We expect our Security Incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.
8-K filed on 2023-03-09
BLACKBAUD INC filed an 8-K at 2023-03-09 17:28:11 EST
Accession Number: 0001280058-23-000010
Item 7.01 Regulation FD Disclosure.
Blackbaud, Inc. (the “Company”) has reached a settlement with the United States Securities and Exchange Commission (the “SEC”) in connection with the Company’s previously disclosed 2020 security incident, in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed SEC investigation of the Security Incident and is further described in an SEC cease-and-desist order (the “SEC Order”). Under the terms of the SEC Order, the Company has agreed to cease-and-desist from committing or causing any violations or any future violations of Sections 17(a)(2) and (3) of the Securities Act of 1933, as amended (the “Securities Act”), and Section 13(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), and Rules 12b-20, 13a-13 and 13a-15(a) thereunder. No other violations of the securities laws are alleged in the SEC Order. As part of the SEC Order, the Company has also agreed to pay a civil penalty in the amount of $3,000,000. The Company has consented to the entry of the SEC Order without admitting or denying the findings of the SEC Order, other than with respect to the SEC’s jurisdiction over the Company and the subject matter of the SEC Order. The SEC Order describing the settlement is furnished herewith as Exhibit 99.1 and the SEC’s press release announcing this resolution is furnished herewith as Exhibit 99.2.
Exhibit No. 99.1
Exhibit No. 99.2
SEC press release dated March 9, 2023
8-K filed on 2023-10-05
BLACKBAUD INC filed an 8-K at 2023-10-05 08:07:48 EDT
Accession Number: 0001280058-23-000040
Item 8.01 Other Events.
On October 5, 2023, Blackbaud, Inc. (“Blackbaud” or the “Company”) entered into separate, substantially similar Assurances of Voluntary Compliance or Assurances of Discontinuance with each of 49 state Attorneys General and the District of Columbia (collectively, the “Administrative Orders”) relating to the previously announced 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multistate Investigation”), which is further described in the substantially similar Administrative Orders filed today in each of the 49 states and the District of Columbia.
Under the terms of the Administrative Orders, the Company has agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to Blackbaud customers or the individuals whose data is stored by the Company concerning (a) the extent to which Blackbaud protects the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools.
As part of the Administrative Orders, the Company also has agreed to pay a total of $49.5 million to the 49 states and District of Columbia. The Company expects to pay the full settlement amount to each state and the District of Columbia in October 2023 from its existing liquidity. This amount was fully accrued as a contingent liability in the Company’s financial statements as of June 30, 2023.
The Company has entered into the Administrative Orders without admitting fault of liability in connection with the matters subject to the Multistate Investigation.
The foregoing description is qualified in its entirety by reference to the full text of the form of Administrative Order attached hereto as Exhibit 99.2 and incorporated by reference herein.
As previously disclosed, the Office of the Attorney General of the State of California did not participate in the Multistate Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved. Although the Company is hopeful that it can resolve this matter on acceptable terms, there is no assurance that it will be able to do so on terms acceptable to the Company and to the State of California.
Exhibit No. 99.1
Press release dated October 5, 2023, announcing the Administrative Orders
Exhibit No. 99.2
SEC Form of Administrative Order
8-K filed on 2024-02-02
BLACKBAUD INC filed an 8-K at 2024-02-02 16:13:02 EST
Accession Number: 0001140361-24-005318
Item 8.01 Other Events.
On February 1, 2024, the U.S. Federal Trade Commission (the “FTC”) announced its approval of a settlement with Blackbaud, Inc. (the “Company”) relating to the previously announced 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). When finalized, this settlement will fully resolve the previously disclosed FTC investigation relating to the Security Incident, which is further described in the FTC’s complaint and proposed order.
Under the terms of the FTC’s proposed order, the Company has agreed to certain conditions, which are reflected in their entirety in the FTC’s proposed order. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment.
The Company has agreed to the FTC’s proposed order without admitting or denying any of the allegations in the FTC’s complaint, except as expressly stated otherwise in the FTC’s proposed order.
The foregoing description is qualified in its entirety by reference to the full text of the form of the FTC’s proposed order attached hereto as Exhibit 99.2 and incorporated by reference herein.
Exhibit No. 99.1
Press release dated February 2, 2024 announcing the FTC’s proposed order.
Exhibit No. 99.2
Company Information
| Name | BLACKBAUD INC |
| CIK | 0001280058 |
| SIC Description | Services-Prepackaged Software |
| Ticker | BLKB - Nasdaq |
| Website | |
| Category | Large accelerated filer |
| Fiscal Year End | December 30 |