A multi-month investigation of the Cyberincene with the BlackBaud company, one of the leading providers of cloud computing in May 2020, ended. The payment agreement was reached between the company and general prosecutors of 49 US states worth $49.5 million.
BlackBaud specializes in providing software solutions to cloud computing for non-profit organizations: schools, hospitals, charitable organizations, and in particular, on the management of databases of donors.
Data leakage in July 2020 concerned extremely sensitive data belonging to more than 13,000 BlackBaud business clients and their customers from the USA, Canada, Great Britain, and the Netherlands. During the attack, the attackers stole the unimaginated banking information data for the entrance and social insurance numbers. After the approval of the attackers that all the stolen data were destroyed, Blackbaud paid a ransom.
The agreement of $49.5 million was aimed at resolving the charges of violation by the company’s laws on consumer protection, a notification of violations and an act of mobility and accountability of medical insurance (Health Insurance Portability and Accountability Acthipaa).
As part of the settlement, BlackBaud is obligated to:
- develop and maintain a plan for responding to security incidents;
- provide appropriate assistance to their customers in case of security violations;
- report security incidents to their executive director and the board of directors, as well as improve training of their employees;
- implement guarantees of personal information security, including full encryption of the database and monitoring a dark network;
- strengthen protection through network segmentation, patch management, invasion detection, filewinds, control access, maintenance of magazines and monitoring, as well as conducting testing for penetration;
- allow third-party organizations to evaluate the company’s compliance with the terms of the agreement within 7 years.
In the report for the third quarter of 2020, Blackbaud revealed that at least 43 General Prosecutors of the States and the Columbia District investigated the incident. By November 2020, 23 claims were filed with a proposal to organize collective consumer claims in connection with the security incident in the USA