Insurance Company Sues Blackbaud for $2M, Alleging Negligence Led Data Breach and Bitcoin Payment to Hackers

News | May 30, 2024 By:

On Friday, May 17, 2024, insurance company Travelers Casualty & Surety Company of America filed an amended lawsuit against tech solutions provider Blackbaud Inc. in Delaware Superior Court.

Travelers alleges that Blackbaud failed to adequately protect the sensitive personal and financial information of millions of individuals entrusted to its care. Blackbaud clients, including many educational institutions and charities, provided Blackbaud with confidential donor data to store and manage. This data was allegedly accessible due to security lapses and outdated systems at Blackbaud.

In February 2020, a hacker gained access to Blackbaud’s systems and remained undetected for over three months. The attacker was able to access files containing unencrypted personal information on millions of individuals, including names, addresses, birthdates, bank details, and social security numbers. According to the lawsuit, the hacker threatened to publish the stolen data publicly unless Blackbaud paid a ransom, which it did in 24 bitcoins.

Travelers had insured many of the nonprofits affected by the data breach. The insurer claims it paid out over $1.5 million to cover costs incurred by policyholders in responding to the incident, such as credit monitoring, call centers, forensic investigations, and IT services. Travelers is seeking over $2 million from Blackbaud to recover these payouts through subrogation clauses in its policies.

The lawsuit alleges that Blackbaud knew its systems were vulnerable to attacks due to outdated servers and software. Analysts at the company had repeatedly warned executives about security risks but little was done to address issues prior to the 2020 breach. Travelers also asserts that Blackbaud misled victims for months about the true extent of the stolen data.

State investigators have since taken action against Blackbaud over its data practices. In 2023, Blackbaud paid $3 million to the SEC to settle claims that it failed to disclose the full scope of the 2020 incident to investors. That same year, attorneys general from 50 U.S. states reached a $49.5 million settlement with Blackbaud regarding its security failures and inadequate breach response. The suit by Travelers seeks to hold Blackbaud financially responsible for the consequences of its 2020 data breach.

Please contact BlockTribune for access to a copy of this filing.