DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The High Cost of Reporting a Non-Reportable Data Breach

Posted on September 25, 2020 by Dissent

Mark Rasch raises an important issue — the risks of reporting a breach that you may not need to report.  Using the Blackbaud incident as his starting point, he writes:

In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its own cybersecurity team and hired outside consultants, and successfully prevented the attacker from blocking access to the system and “fully encrypting” the files—ultimately expelling the threat actor from its system. Blackbaud noted that the hacker had “removed a copy of a subset of data from our self-hosted environment” but that “[t]he cybercriminal did not access credit card information, bank account information, or Social Security numbers.”

In the case of Blackbaud, similar to the case of Uber, the company decided to pay the hackers. While it does not appear that the company paid the hackers for their silence, Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” and the company noted that, based on its investigation and that of law enforcement and the nature of the incident, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly …”

In short, the company suffered a ransomware attack that included a partial data breach (breach of a subset of its data). Blackbaud recovered from the ransomware, secured the data and had reasonable assurance (not sure how) that the data, while breached in the sense that there was “unauthorized access” to the data, was not used or transmitted to anyone else and was destroyed.

Under these circumstances, a data breach disclosure to customers and to various Attorneys General is probably both legally required and unnecessary. Indeed, Blackbaud did make such a breach disclosure. In return, the company was sued in a class action filed on behalf of its customers.

Read more on Security Boulevard.

Category: Commentaries and AnalysesOf Note

Post navigation

← NEET, JEE aspirants’ data available on public domain, Bhopal medical student seeks CBI probe
Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.