Nonprofit software and data services giant Blackbaud is facing a class action lawsuit with the US District Court District of South Carolina after donors’ data was hacked by cyber criminals. Hackers breached Blackbaud’s systems on February 7, 2020, but the intrusion was not discovered until May 14, and users were not notified until July.

At the center of the lawsuit was a ransomware attack that allowed the hackers to download information and attempt to take control of Blackbaud’s systems and data hosting operations. Once they had control, they demanded payment for the stolen material.

According to the suit filed by William Allen with the District Court of South Carolina, customers have experienced “ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack.” When asked for comment, a spokesperson for Blackbaud stated “Blackbaud disagrees with the allegations and intends to demonstrate they are without merit.”

After paying an undisclosed sum in Bitcoin to the hackers in July, Blackbaud said that the vulnerability exploited by the ransom had been solved, and there was no further risk to their customers’ data. They also stated that no bank account information, credit card information, or Social Security numbers were accessed.

According to Cleveland.com, some entities affected in the just the northern Ohio region by the attack include the Cleveland Museum of Natural History, Holden Forests and Gardens, the Cuyahoga Community College Foundation, and Kent State University.

Leigh Greenfelder, an Assistant Vice President at Kent State told Cleveland.com, “It’s very upsetting for us because first of all our alumni are very important to the university, and we certainly don’t want anything to be problematic for them. So, we were disappointed to hear that. Also surprised that it took them so long to let us know, so that was upsetting because we of course want to let people know right away.”

The class action lawsuit filed by Allen seeks to compel Blackbaud to increase its data security practices, change the practices that led to the breach, and pay for actual and punitive damages, as well as the incurred legal fees and costs.

The Blackbaud ransomware attack brings two important concepts to the forefront: aggregation of risk and timeliness in notification after a breach. This incident demonstrates how a breach at one data aggregator can affect multiple individual companies and organizations. Aggregation risk has been a concern among cyber carriers for some time.

Also noteworthy is Blackbaud’s alleged delay in notifying its clients of the incident, which has led to a class action against the company. It is important for businesses to not only require their data aggregators to carry a sufficient amount of Cyber insurance, but also to put into their contracts that the data aggregator will notify them on a timely basis in the event of a breach. Most state notification laws still put the responsibility on the “data owner” to comply with notification requirements.

When a data aggregator delays in notifying the data owners, it exposes the data owners to potential regulatory action against them for violation of state notification laws and potentially federal laws depending on the class of business in which they operate.