Pam Arthur, of Stuart, Fla., has donated to the Christian anti-hunger charity Bread for the World.
Matthew Johnson, of Minneapolis, has supported his alma mater, the University of Wisconsin-Eau Claire, and the St. David’s Center for Child and Family Development.
Philip Eisen, of Los Angeles, and Dorothy Kamm, of Port St. Lucie, Fla., have given to Planned Parenthood.
And Mamie Estes and Shawn Regan, of Inglewood and San Pedro, Calif., have contributed to Crystal Stairs family services center in Los Angeles.
These donors support a diverse set of causes, but they have one thing in common: They’re all victims of a recent ransomware attack on the fundraising-software company Blackbaud and have filed four class-action lawsuits against the company.
These cases, filed in federal courts in California, Florida, and South Carolina, come on the heels of one filed in mid-August by William Allen, a Raleigh resident and supporter of at least two nonprofits affected by the data breach. The plaintiffs claim the software giant, whose backup servers were compromised during a hack identified in May, failed to adequately protect the data held by its nonprofit clients. They seek compensation or reimbursement and free credit-monitoring services for anyone who was affected.
In the weeks since Blackbaud disclosed the data breach in mid-July, the individuals all received notices from nonprofits informing them that a cybercriminal accessed their personal information — such as names, addresses, phone numbers, and giving history — stored on the company’s cloud server.
According to a statement from Blackbaud, the criminal intended to block the company’s access to its data and succeeded in removing a copy of some customer information. Bank details and credit-card and Social Security numbers were not compromised, according to the company. But some affected nonprofits have said that may not be the case. Northwestern Memorial HealthCare, for example, indicated that Social Security numbers, financial accounts, and payment-card information were unencrypted for five individuals in its database. Northwestern Memorial as well as the Northwest Kidney Centers told their supporters that the criminal may also have accessed information about patient medical treatment and health conditions.
Blackbaud paid a ransom of an undisclosed amount to encourage the hacker to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” the statement said. But many fundraisers, nonprofit technology experts, and donors are critical of how the company has handled the incident.
Some nonprofits, including Crystal Stairs, which received donations from two of the plaintiffs, have offered one year of free credit monitoring to their supporters as a precaution.
Blackbaud has not disclosed how many of its more than 45,000 client organizations were affected by the breach. Almost every day additional colleges, hospitals, and other nonprofits large and small issue notices to their supporters. But some groups have yet to notify their constituents as they weigh whether they have the legal or ethical obligation to disclose at all. Some of Blackbaud’s prospect-research tools, for example, primarily hold publicly available information.
A Blackbaud spokeswoman declined to comment on pending legal action and did provide any updates on the FBI investigation of the attack..
