Paying a Ransom – The Blackbaud Data Breach

21st August 2020 Media Law

Blackbaud, a US cloud software company, provides data storage for organisations worldwide. In July, Blackbaud revealed that they have been the victim of a ransomware attack. As of 4 August 2020 the UK’s Information Commissioner’s Office (ICO) told the BBC that 125 organisations had reported to it in relation to the incident “so far”. Almost all of these organisations were non-profit organisations such as universities and charities. Other educational establishment have also admitted being affected.

In a statement on their website, Blackbaud have confirmed that they became aware of the attack in May 2020. The statement established that the perpetrator had obtained a copy of a subset of data held by Blackbaud. Blackbaud announced that “because protecting our customer’s data is our top priority, we paid the cybercriminal’s demands with confirmation that the copy they removed had been destroyed”. 

Blackbaud have been criticised for not disclosing this data breach externally until July and for having paid the hackers an undisclosed ransom. Many believe that paying cyber criminals in this way has negative consequences. Showing a willingness to pay may encourage the criminals to attack others and encourage copy-cat attacks. The organisation involved is also making a deal with a criminal, and who is to say they really delete the data when they say they do? 

In October 2017 Uber suffered a huge attack, exposing the data of over 57 million of their customers and drivers. The firm paid hackers $100,000 to delete data and keep the breach quiet. In September 2018 Uber were fined $148,000 for their failure to notify victims of the hack. 

Under the GDPR, organisations that suffer a data breach exposing Europeans’ personal data must notify an EU data protection authority, such as the UK’s ICO, and any data controllers within 72 hours. Despite becoming aware of the attack in May they did not notify their customers (the data controllers) until July 16 2020. The ICO has the power to fine organisations up to 4% of their annual global revenue or €20,000,000 – whichever is greater for a data breach. Fines may be forthcoming not only for there is a delay in notifying, but also if a regulatory investigation finds an organisation’s security to be lacking. 

Blackbaud has confirmed that the data involved did not include bank account or payment card details. However other personal data involved reportedly includes information such as individuals’ name, date of birth, email and phone number and, in the case of many universities, data relating to educational attainment. 

The non-profit organisations such as the many Universities involved, as required by the General Data Protection Regulation, sent out notifications to those affected by the data breach. Many organisations notifing individuals have told them that they are not required to take any action but should remain vigilant to any suspicious activity and to notify relevant authorities immediately. 

Upon receipt of a notification email from an organisation informing you that your data has been involved in a breach there are a number of things you can do other than to ‘remain vigilant’. If you do not know exactly what information the organisation holds on you, and thus what information may have been exposed in the Blackbaud incident, you can make a ‘Subject Access Request’.

Under data protection law, you have a right to access the data that an organisation holds on you and know what it has done with it. You have the right to ask organisations for copies of the personal data they hold on you, and you can do so either verbally or in writing. This is commonly known as making a ‘subject access request’ or a ‘SAR’. The ICO have templates that you can use to help you make such a request. 

When you make a ‘subject access request’ the organisation holding your data, referred to as a data controller in legislation, has to comply within one calendar month. The organisation can extend this by up to three months if the request is deemed to be ‘complex’, but they must inform you of this within one calendar month. Organisations cannot charge a fee to comply with your request. There are a number of exemptions that apply which must be considered. 

If you have been affected by any of the issues mentioned in this blog, JMW Solicitors may be able to help. Please get in touch.

We're Social

Amy Smethurst is a Paralegal located in Manchesterin our Media Law department

View other posts by Amy Smethurst

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest