In July 2020, the company, which provides hundreds of non-profits and educational facilities with customer relationship management services, disclosed that they had suffered a ransomware attack. More than 120 education and third-sector organisations may have had their data compromised.
The attack took place in February 2020 and was discovered in May 2020 when many of the affected organisations were already reeling from the disruption caused by the COVID-19 pandemic.
The attackers took over the company's servers, encrypted some sets of data and took a copy of a subset of data before they were locked out of the company's systems. The company admitted that they had paid out an undisclosed amount of money in order to retrieve that data which they confirmed did not include bank account or payment card details. However, in some cases it did involve donors details such as names, ages, addresses, estimated wealth / identified assets, past donations and likelihood to make a bequest triggered by their death.
In November 2020, insurance recoveries were confirmed related to this incident.
In March 2023, it was reported that the company had reached a $3 million settlement with the SEC related to this incident. Later that same year, in October the company reached a $49.5 million agreement with attorneys general from 49 U.S. states to settle a multi-state investigation in relation to this ransomware attack and data breach.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you:
We've done the analysis so you can make the decisions