A U.S. District Court judge in South Carolina has denied a motion to certify a class action lawsuit against Blackbaud, a third-party software and data services provider hit by a large cyber breach in February 2020.
Judge Joseph Anderson Jr. said that a method proposed by the plaintiffs’ experts had not shown how class members would be determined. That was that, inasmuch as the class action, based on the number of records stolen in the high-profile heist, could have reached 1.5 million people. Some estimates put it as high as 20 million individuals.
"Given Plaintiffs' failure to provide this Court with an administratively feasible method of ascertaining class members, this Court declines to join the minority of courts that have certified a class in a consumer data breach case such as this," Judge Anderson wrote.
Blackbaud sells tools for fundraising, nonprofit financial management and education. Its customers include nonprofit organizations, foundations, schools and healthcare organizations. The company claims that more than $100 billion is raised, granted or invested through its software annually.
Its channel partners include independent software providers (ISVs), referral partners and developers involved in building, selling, referral and service solutions.
Blackbaud has been the target of an unsolicited offer by private equity firm Clearlake for $4.3 billion.
Clearlake had initially offered $71 a share but later upped its bid to $80. Clearlake invested in Blackbaud in 2020 and currently owns an 18.9% stake in the company.
Blackbaud subsequently rejected the revised offer in mid-May, the NonProfitTimes reported.
Blackbaud Pays Ransom in Bitcoin
As for the cyberattack, Blackbaud was hacked in February 2020 and information was compromised on roughly 1.5 billion individuals from some 13,000 Blackbaud customers. The breach was not discovered by the company until May 14, 2020, and customers were not notified until July 16, 2020.
Blackbaud paid the hackers 24 Bitcoin, valued at the time at about $250,000, in exchange for the attacker’s promise to delete the stolen data. But Blackbaud reportedly has been unable to confirm that the attackers actually destroyed the data.
Blackbaud has already paid several penalties stemming from the breach. In 2023, the Securities and Exchange Commission (SEC) said Blackbaud agreed to pay a $3 million fine to settle charges for making misleading disclosures about the ransomware attack.
Blackbaud claimed that the ransomware attackers had not stolen donor bank account information or social security numbers when it had, in fact, exfiltrated that material and other personally identifiable information (PII).
The SEC further determined that Blackbaud lacked proper disclosure controls and procedures and, as a result, omitted material information about the cyber breach in an August 2020 quarterly filing.
Separately, in October 2023, Blackbaud agreed to pay $49.5 million to settle investigations by 49 states and the District of Columbia. California’s attorney general did not participate in the agreement.
The action by the SEC presaged its new regulation that went into effect in December 2023 requiring registrants to report a security incident in an 8-K document within four business days of the incident.
