A federal judge denied class certification in consolidated proposed class action litigation against Blackbaud for a 2020 ransomware attack affecting 13,000 clients and compromising data of about 1.5 billion donors. The ruling was due to failure to demonstrate 'ascertainability' of proposed class and subclasses, which included negligence and gross negligence classes for affected individuals
Despite plaintiffs' claims, the judge deemed an 'administratively feasible' way to determine class members was lacking. Blackbaud faced regulatory enforcement actions and settled with 48 states over data security practices post-hack. The company paid fines and was ordered by the FTC to delete unnecessary data and implement security improvements. The UK's Information Commissioner's Office reprimanded Blackbaud for violations without a fine. Plaintiffs in the case have not shown a path forward following the denial of class certification. https://www.bankinfosecurity.com/judge-denies-class-certification-in-blackbaud-hack-lawsuit-a-25248