DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The High Cost of Reporting a Non-Reportable Data Breach

Posted on September 25, 2020 by Dissent

Mark Rasch raises an important issue — the risks of reporting a breach that you may not need to report.  Using the Blackbaud incident as his starting point, he writes:

In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its own cybersecurity team and hired outside consultants, and successfully prevented the attacker from blocking access to the system and “fully encrypting” the files—ultimately expelling the threat actor from its system. Blackbaud noted that the hacker had “removed a copy of a subset of data from our self-hosted environment” but that “[t]he cybercriminal did not access credit card information, bank account information, or Social Security numbers.”

In the case of Blackbaud, similar to the case of Uber, the company decided to pay the hackers. While it does not appear that the company paid the hackers for their silence, Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” and the company noted that, based on its investigation and that of law enforcement and the nature of the incident, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly …”

In short, the company suffered a ransomware attack that included a partial data breach (breach of a subset of its data). Blackbaud recovered from the ransomware, secured the data and had reasonable assurance (not sure how) that the data, while breached in the sense that there was “unauthorized access” to the data, was not used or transmitted to anyone else and was destroyed.

Under these circumstances, a data breach disclosure to customers and to various Attorneys General is probably both legally required and unnecessary. Indeed, Blackbaud did make such a breach disclosure. In return, the company was sued in a class action filed on behalf of its customers.

Read more on Security Boulevard.

Category: Commentaries and AnalysesOf Note

Post navigation

← NEET, JEE aspirants’ data available on public domain, Bhopal medical student seeks CBI probe
Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.