Blackbaud, a cloud software provider, fined $3 million for failing to notify customers of a ransomware attack

The U.S. Securities and Exchange Commission (SEC) made the announcement today that Blackbaud Inc., a public company located in South Carolina that offers donor data management software to non-profit organizations, has agreed to pay $3 million to resolve charges for providing deceptive statements about a ransomware attack in 2020 that affected more than 13,000 clients. The SEC alleges that Blackbaud made the disclosures in an attempt to deceive investors about the severity of the attack.

According to the order issued by the SEC, Blackbaud made the announcement on July 16, 2020, that the ransomware attacker did not access the personal information of donors, including their bank account information or social security numbers. But, within a few days of these claims being made, the company’s IT and customer relations workers realized that the attacker had, in fact, accessed and removed this sensitive material from the system. Due to the fact that the corporation did not properly maintain its disclosure controls and processes, the workers in question did not share this information with the senior management that was responsible for its dissemination to the public. As a result of this mistake, the corporation submitted a quarterly report to the SEC in August 2020 that left out this vital information regarding the breadth of the attack and misrepresented the danger that an attacker may access such sensitive donor information as being hypothetical.

According to the quarterly report that was filed with the SEC in 2020 for the three months leading up to November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases in the United States and Canada related to the ransomware attack and data breach that had occurred in May 2020.

The business also disclosed that government agencies and data regulators have also conducted investigations into the incident. These investigations include a multi-state, combined Civil Investigative Demand filed on behalf of 43 state Attorneys General and the District of Columbia.

Blackbaud also acknowledged in its news release from July 2020 (which now refers to the company’s security website) that it had paid the ransom that the attackers demanded after getting proof that all of the stolen data had been deleted.

According to David Hirsch, Head of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, “As the order finds, Blackbaud failed to disclose the entire effect of a ransomware attack despite its staff realizing that its prior public comments regarding the incident were erroneous.” This remark was made in response to the finding that Blackbaud had failed to disclose the full impact of a ransomware attack. Blackbaud did not live up to its commitment of providing accurate and timely important information to its investors, which is a requirement for publicly traded corporations.

According to the order issued by the SEC, Blackbaud committed violations of Section 17(a)(2) and Section 17(a)(3) of the Securities Act of 1933, as well as Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Blackbaud agreed to pay a $3 million civil penalty, refrain from violating these requirements going forward, and stop committing breaches of these provisions without admitting or rejecting the SEC’s findings.