Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging it failed to disclose the full impact of a 2020 ransomware attack that reached more than 13,000 customers.
Organizations affected by the incident include many entitiessuch as charities, foundations, non-profit organizations and universities around the world, USA, Canada, UK and Netherlands.
To settle the SEC charges (but without confirming or denying the SEC’s findings), Blackbaud agreed to pay a $3 million civil penalty for failing to disclose the full extent of the cyberattack.
“As the order indicates, Blackbaud has not disclosed the full impact of a ransomware attack despite its staff being told that its prior public statements about the attack were inaccurate,” said David Hirsch, head of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.
“Public companies have an obligation to provide accurate and timely material information to their investors; Blackbaud has failed to do so.”
According to the SEC, the company declared in July 2020 that the attackers behind the May 2020 ransomware attack did not have access to donor bank details or social security numbers.
However, Blackbaud’s technology and customer relations staff soon learned that the threat actors had accessed and stolen this sensitive information.
Unfortunately, they failed to report this to management as the company did not have proper disclosure controls and procedures in place. This led Blackbaud to file an SEC report the following month, which did not include vital information on the extent of the breach.
Furthermore, the report misleadingly stated that the risk of such sensitive donor information being obtained by attackers was only hypothetical.
Attack investigated by attorneys general from 43 states
Until November 2020, Blackbaud was already sued in 23 class action lawsuits offered to consumers in the United States and Canada linked to the May 2020 ransomware attack and data breach, according to the Q3 2020 Quarterly Report filed with the SEC.
The company also disclosed that government agencies and data regulators, including a multi-state consolidated civil inquiry request issued on behalf of 43 state and District of Columbia attorneys general, were also investigating the attack.
Blackbaud also confirmed in its July 2020 press release (which now redirects to the company security page) that he paid the ransom demanded by the attackers after receiving confirmation that all stolen data had been destroyed.
“Because protecting our customers’ data is our top priority, we paid off the cybercriminal’s claim by confirming that the copy he deleted was destroyed,” Blackbaud said.
“Based on the nature of the incident, our research and the investigation by a third party (including law enforcement), we have no reason to believe that any data has gone beyond beyond the cybercriminal, have been or will be misused; or will be disseminated or otherwise made publicly available.”