Blackbaud Software Company Subject of Class Action Lawsuit Over Cyber Attack

The Blackbaud software company is facing a class action lawsuit in Florida over claims it failed to protect customers from and promptly inform them of a ransomware attack that compromised sensitive data.

Plaintiff Heidi Imhof of Tampa, Fla., filed the class action lawsuit against Blackbaud in federal court after she learned her personally identifiable information had been captured during a cyberattack on Blackbaud, which provides cloud-based fundraising software to nonprofits, schools, religious groups, and others. Imhof says Blackbaud should be held liable for allowing the data breach and for waiting months to inform its customers of the incident.

Imhof’s information was stored in Blackbaud’s system because her alma mater, Stetson University, is one of Blackbaud’s clients.

According to the class action complaint, Blackbaud informed Stetson University on July 16 that a ransomware attack had been detected “in progress” on May 20. It had been going on since February. The company reported that since the breach was discovered, forensic experts and law enforcement had been working with its in-house security team to investigate, the class action lawsuit says.

Imhof says she received a letter from Stetson dated Oct. 2 informing her of the ransomware attack on Blackbaud and confirming that her personally identifiable information – including her name, Social Security number, date of birth, student identification, demographic information, financial data, and philanthropic giving history – had been viewed and removed by the “unauthorized third parties.”

The cyberattack put Imhof and countless others at risk of identity theft and significant financial loss, not only in the immediate aftermath, but for years to come, the class action lawsuit says. Imhof wants the court to certify her case as a class action representing all those whose personal information was compromised during the Blackbaud hack. It is unclear how many potential Class Members might be involved.

“Plaintiffs and [C]lass [M]embers have had to spend, and will continue to spend, significant amounts of time and money in an effort to protect themselves from the adverse ramifications of the data breach, and will forever be at heightened risk of identity theft and fraud,” the Imhoff class action lawsuit argues.

Ransomware attacks are a kind of data breach that generally involve malicious software that locks and encrypt a computer system’s files and operating system once installed and virtually holds it for ransom. Cybercriminals gain access and plant the software remotely.

Blackbaud software said it was able to “expel” the hackers it discovered in its system, but not before the cybercriminals had accessed and copied an undisclosed amount of data.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said in announcing the breach in July. “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

The Imhoff class action lawsuit alleges Blackbaud’s actions were negligent, in violation of Florida’s Deceptive and Unfair Trade Practices Act and constituted unjust enrichment.

“Plaintiff brings this class action against Blackbaud for its failure to protect and safeguard personally identifiable information,” the class action says, “and for failing to provide timely, accurate, and adequate notice to plaintiffs and other Class Members that their [personally identifiable information] had been compromised.”

Does your organization use Blackbaud software for fundraising or alumni and donor outreach? Have you been informed that your personally identifiable information might have been compromised during the cyberattack? Tell us about it in the comment section below or go here to see if you qualify to join a Blackbaud class action lawsuit.

Lead plaintiff Imhof and the proposed Class Members are represented by Heather H. Jones and William “Billy” Peerce Howard of The Consumer Protection Firm PLLC.

The Blackbaud Software Class Action Lawsuit is Heidi Imhof, et al. v Blackbaud Inc., Case No. 8:20-cv-02738 in the U.S. District Court for the Middle District of Florida.

Read About More Class Action Lawsuits & Class Action Settlements:

• Do You Qualify: Blackbaud Ransomware Data Breach Class Action Lawsuit Investigation
• Salesforce, Hanna Andersson Agree to Settle Data Breach Class Action Lawsuit for $400K
• Were You Affected by the R1 RCM Ransomware Attack? 
• IED Blast Injuries Lead to Ongoing TBI Concerns in Veterans
• Philadelphia Sues Juul over E-Cigarette Addiction Epidemic