A cyberattack at Blackbaud Inc. earlier this year has cost the company $3.6 million so far and resulted in nearly two dozen lawsuits in the United States and Canada.
But the legal fallout from the breach has expanded beyond the customers that were directly affected, the Daniel Island technology company told investors Tuesday.
Since the attack, 43 state attorneys general and various federal agencies from the U.S. and abroad have requested information about the attack, according to a quarterly filing with the Securities and Exchange Commission.
It's too early to say what the impact of those inquiries will be.
The cloud-based software the company sells helps nonprofits, churches and schools around the world manage their operations, including their donor databases. A cyberattack targeted Blackbaud beginning in February. Copies of sensitive donor information were stolen.
Blackbaud said it learned of the breach in May and expelled the cyberthief by June 3 and disclosed the incident publicly on July 16. The company paid an undisclosed ransom in exchange for assurances that the stolen data would be deleted.
The 23 lawsuits that have been filed against the company mostly allege that Blackbaud delayed its notification to customers and that it didn't secure the sensitive information as well as it could have.
In addition to the demand for information from state law enforcement officials, Blackbaud told investors Tuesday it is also fielding inquiries from the U.S. Federal Trade Commission and the U.S. Department of Health and Human Services, as well as privacy officials in the United Kingdom, Australia and Canada.
The company, which serves about 45,000 customers around the globe, said it is cooperating fully with all authorities.
In a call last week with investors, Blackbaud CEO Michael Gianoni restated his apology to customers for the attack and said the security flaw that allowed the breach has been fixed.
"We are incorporating lessons learned from this incident to continue improving our cybersecurity program and further harden our environments, while being transparent with our customers on our progress," Gianoni said.
The unexpected expenses the company has incurred from the breach include security upgrades and payments to consultants and lawyers, according to the SEC filing. They represent about 3 percent of Blackbaud's total costs over the past quarter.
Gianoni said he believes insurance will cover "a significant portion" of the expenses related to the attack, though he added "this is inherently difficult to predict."
As for Blackbaud's financial performance during the COVID-19 pandemic, its sales in the third quarter fell about 3 percent to $215 million compared to a year earlier, while net income increased 7 percent to $4.9 million.
While the customers that Blackbaud sells to are under stress because of the COVID-19 pandemic, Gianoni said the company's technology offerings are more valuable than ever.
One example: Blackbaud went virtual with its annual conference, bbcon, this year, and saw record attendance. Gianoni said the company registered 38,000 attendees, equivalent to about a decade of attendance.
It was the greatest number of prospective customers Blackbaud has hosted at the early October event, which Gianoni said "shows the significant interest in Blackbaud and how our cloud solutions can help solve the challenges and opportunities social good organizations face today."