Class Action Lawsuit Questions Blackbaud's Hacker PayoffCompany Says It Paid Ransomware Attacker for Promise to Delete Stolen Data
Filing a class action lawsuit against a business that has suffered a data breach is a common occurrence.
See Also: A Toolkit for CISOs
Increasingly, however, ransomware is becoming part of the mix, owing to gangs first exfiltrating data and then threatening to leak it if victims don't pay a ransom (see: Ransomware + Exfiltration + Leaks = Data Breach).
Ransomware adds a further wrinkle to the data breach discussion and potential legal ramifications for breached organizations: A growing number of organizations hit by ransomware have said that they were able to wipe and restore systems from backups, but they paid a ransom to their attackers anyway in return for a promise that they would delete all of the stolen data and not provide or sell it to anyone else first.
Can thieves be trusted to honor such promises? That's one question posed by a lawsuit seeking class action status filed against South Carolina-based Blackbaud. The publicly traded firm, which provides cloud-based marketing, fundraising and customer relationship management software used by thousands of charities, universities, healthcare organizations and others, suffered a data exfiltration and ransomware attack in May.
Questions persist about the Blackbaud breach because the company detected the intrusion in May but only notified customers beginning in July. The list of victims includes organizations in Europe, meaning Blackbaud must comply with the EU's General Data Protection Regulation, which requires that regulators be informed within 72 hours of any breach about the details of what happened and what was stolen. Blackbaud has yet to respond to Information Security Media Group's request to clarify when it first notified European regulators (see: Blackbaud's Bizarre Ransomware Attack Notification).
'We Paid the Cybercriminal's Demand'
In its breach notification, Blackbaud notes that it paid a ransom to secure a promise from attackers that they would delete all stolen data.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment," Blackbaud states in its breach notification. "The cybercriminal did not access credit card information, bank account information or Social Security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
Following the breach notification, Blackbaud was hit on Aug. 12 by a lawsuit seeking class action status, filed by Whitfield Bryson & Mason LLP on behalf of U.S. resident William Allen, whose "private information was compromised as a direct and proximate result of the data breach."
The lawsuit seeks, in part, seven years of prepaid identity theft monitoring for victims. It alleges that the company's security defenses were inadequate and that attackers may have compromised massive quantities of PII, including Social Security, credit card and bank account numbers.
One of the firm's attorneys, Matthew Lee, tells ABC affiliate WFTS in Florida that tens of thousands of individuals could have had their PII compromised and may thus be at life-long risk of identity theft.
The lawsuit also calls out the company's mention of paying attackers as a way to try and safeguard victims. "To believe basically a criminal who's hacked into your system that they have stood by their word and deleted the information, I don't think that cuts it," Lee told WFTS.
Most Data Breach Lawsuits (Still) Fail
Many data breaches trigger lawsuits alleging that the breached organization had poor security controls and that victims are due compensation. But at least in the U.S., very few of these lawsuits succeed. Legal experts say that's because many courts have held that victims must suffer harm, and such harm can only be demonstrated by financial loss (see: Why So Many Data Breach Lawsuits Fail).
"In pure privacy violations, courts have been reluctant to find compensable harm to data breach victims as the result of mere exposure of certain types of personal information, because the victim can't show any actual harm as a result, as opposed to theoretical harm - fear that at some point in the future, I might have my identity stolen," says attorney Mark Rasch, who's of counsel to the law firm of Kohrman, Jackson & Krantz, who is not involved in the case.
"If you look at the history of data breaches, the early breaches were of credit card information, and the harm was that someone would steal money from the account and you'd be liable for it," he tells Information Security Media Group.
States' data breach notification laws are designed to ensure affected consumers are notified so they can take steps to safeguard their PII.
But banks or credit card companies are now often the first ones to spot a breach - because they see a series of unusual charges across cards - after which they'll cancel cards and issue new ones. Card issuers will typically reimburse any fraud that results. "So the mitigation has already happened before the breach notification," Rasch says.
Many breached organizations will also offer at least a year of prepaid identity theft monitoring services, if credit card, Social Security numbers or other data that might be used for identity theft purposes was exposed.
That doesn't stop numerous lawsuits from alleging privacy violations. But in the U.S., harm requires showing a financial loss, and privacy has no dollar value (see: Ashley Madison: The Impact of Some Data Breaches Is Forever).
"The fact that we don't assign a dollar value to privacy [means] we don't value privacy," Rasch says.
Blackbaud Focused on Mitigation
What about the lawsuit's strategy of attempting to blame Blackbaud for paying a ransom to attackers to try to safeguard stolen data? Rasch says that action might actually work in Blackbaud's favor because it shows the company took deliberate steps to try to manage the incident and mitigate its impact, rather than something nefarious, like trying to cover it up.
"They didn't ... pay the hackers for their silence; they paid the hackers to delete and wipe and validate the deletion and wiping of the data - and that's not necessarily an unreasonable thing to do," Rasch says. "I don't know how much you can believe them or credit them, but even so, you know you're not paying for silence; you're paying for mitigation."