Donors continue to file lawsuits against Blackbaud, the fundraising software company that faced a massive data breach this year.
The latest was filed by Daniel Cohen, a Washington resident, who also names three nonprofits — Harvard University, Bank Street College of Education, and the Lower East Side Tenement Museum — as defendants. The goal of his suit and many others is to build a class action that will force compensation to all harmed by the data breach.
Nonprofit organizations that use Blackbaud’s software for managing donor information have been put in an awkward position since the company first disclosed the ransomware attack to its clients in July.
Sometime from February to May, a cybercriminal was able to access personal donor information from a backup server storing data from an unknown number of Blackbaud clients, including the three nonprofits Cohen is suing.
Blackbaud paid a ransom to encourage the hacker to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” according to the company’s statement.
But Blackbaud has provided no additional information to reassure nonprofits and their supporters that their information hasn’t gone beyond the criminal. The company has said that bank details and credit-card and Social Security numbers were not compromised during the breach, but several nonprofits have said that some sensitive information was accessed.
Nonprofits, not Blackbaud, have been notifying their supporters of the breach over the past two months. In the latest lawsuit, Daniel Cohen said he received letters in August from the three organizations he is suing.
In their disclosures to donors and other individuals whose data they stored, nonprofits have said that the criminal gained access to names, addresses, phone numbers, and giving history and capacity of donors and potential supporters
Attorney General Warning
Last Friday, Michigan’s attorney general Dana Nessel warned residents — particularly colleges and other nonprofit donors — to be on alert for fraudulent emails or phone calls in the wake of the Blackbaud breach.
Recipients of letters about the ransomware attack “should also remain vigilant for suspicious emails, texts, or phone calls asking for personal information, donations, or other payments,” the attorney general says.
As of Tuesday, donors had filed 10 lawsuits against the software giant. The cases call for Blackbaud to provide free credit monitoring and financial compensation for anybody who was affected by the attack, as well as improvements to their data-security practices.
Last week, a lawyer representing plaintiff William Allen, another donor to nonprofit causes, filed a motion to consolidate the cases in the federal court system. The Judicial Panel on Multidistrict Litigation may consider that motion later this year.
In an earlier interview, the lawyer said his firm is investigating whether charities have claims against Blackbaud as well. The Tenement Museum and Bank Street College declined to comment on the suit brought by Daniel Cohen. Harvard did not respond by our deadline.
Blackbaud has declined to comment on pending litigation.
