A donor to nonprofit causes is leading the charge on behalf of other charity supporters against fundraising software company Blackbaud following a ransomware attack identified in May.
A lawyer filed the suit on behalf of William Allen, a Raleigh, N.C. resident who received notices from two nonprofits — a hospital and a private high school — that his information may have been compromised by the attack, which Blackbaud disclosed in July.
The lawsuit is calling for Blackbaud to provide free credit monitoring and financial compensation for anybody who was affected by the attack. “Private information was maintained on defendant’s computer network in a condition vulnerable to cyberattacks,” the suit alleges.
According to a statement from Blackbaud, a cybercriminal, who intended to block the company’s access to its data, succeeded in removing a copy of some customer data that included fields like donor names, addresses, contact information, and giving history. Bank information and credit-card and Social Security numbers were not compromised, according to the company.
Blackbaud paid a ransom of an undisclosed amount to encourage the hacker to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” the statement said.
But the incident, and Blackbaud’s delayed response in notifying its nonprofit clients, has drawn criticism from fundraisers and donors alike. Fundraisers say the firm has not been transparent and that the data breach could create mistrust among supporters, alumni, and others whose data is collected by nonprofits.
A Blackbaud spokeswoman declined to comment, citing the company’s policy not to comment on pending legal actions.
With more than 45,000 clients, Blackbaud is a leader in the nonprofit fundraising and database software market. The company has said that a majority of its customers were not affected by the breach but declined to share the number of groups affected.
Matthew Lee and his law firm Whitfield Bryson filed the case in federal court in Charleston, S.C,. where the software company is based. The lawsuit claims that “based on information and belief, the class consists of approximately tens of thousands of persons whose data was compromised.”
Lee said his firm has also gotten inquiries from nonprofits who were affected by the breach.
Nonprofits might be called upon as witnesses to provide information like lists of individuals whose data was was exposed. And the law firm is investigating whether charities have claims against Blackbaud as well.
“Down the road, they could also potentially be plaintiffs in a lawsuit like this, where they’d entrusted their information to Blackbaud and Blackbaud didn’t secure it the way they were supposed to,” Lee said.
Costs to Nonprofits
Some organizations chose to notify their supporters in the days following Blackbaud’s disclosure in mid-July, but a steady trickle of charities continue notifying their constituents about the breach.
That the breach affected a company that provides critical services to nonprofits has put organizations in a bind, said Catherine Nardone, chief development officer at the Environmental Defense Fund.
“They provide a really important service to us and to their other clients that is most efficiently delivered by them and helps us raise more money.” she said. “It’s difficult to do without it, and frankly I think they know that.”
Whether Blackbaud needs to provide credit monitoring or other protections to the individuals affected is one question that may be answered in the courts. But nonprofits say what is crucial for Blackbaud to understand is that nonprofits are not in a position to provide information protection for donors and others who could have been harmed by the data breach.
“If you’re Equifax, you have the resources to go out and say we’re going to get identity-theft protection for all of our clients,” Nardone said. “They’re a publicly traded company, we’re nonprofit. There’s a big difference.”
Blackbaud has said it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused.” But in emails and letters, nonprofits are urging supporters to monitor their online and financial activity. The March of Dimes, for example, encourages its donors to “remain vigilant and report any suspicious activity or suspected identity theft to us and the proper law enforcement authorities.”
For the Environmental Defense Fund, the vast majority of supporters Nardone and her colleagues have heard from have been understanding, she said.
“They realize we’re telling them because we really feel we have to maintain that trust with them,” she said. “The likelihood that anything would come of this, given the nature of the data that was exchanged, is very, very, very low. But still, this is a privacy issue. This is a cybersecurity issue. It makes people nervous.”
As one of her donors told her, it appears that Blackbaud is taking a “cavalier” attitude toward the breach, Nardone said. “That’s the impression they’re giving people.”
She continued: “They did a lot to try to make this right. I just think that their handling it with the client has raised more questions than they’ve been willing to answer.”
