Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers. .
Organizations affected by the incident include many entities such as charities, foundations, non-profit organizations and universities around the world, from the US, Canada, the UK and the Netherlands.
To settle the SEC’s charges (but without confirming or denying the SEC’s findings), Blackbaud agreed to pay a $3 million civil penalty for failing to disclose the full scope of the cyberattack.
“As determined by the order, Blackbaud did not disclose the full impact of a ransomware attack despite the fact that its staff learned that its previous public statements about the attack were in error,” said David Hirsch, head of the Crypto Assets and Unit of the SEC’s Division of Enforcement.
“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud did not.”
According to the SEC, the company stated in July 2020 that the attackers behind the May 2020 ransomware attack had not gained access to the donor’s bank account details or social security numbers.
However, Blackbaud’s customer relations and technology staff soon learned that threat actors had accessed and stolen this sensitive information.
Unfortunately, they did not inform management as the company lacked proper disclosure controls and procedures. This prompted Blackbaud to file a report with the SEC the following month, which did not include vital information about the extent of the breach.
Furthermore, the report misleadingly claimed that the risk of attackers obtaining sensitive information from donors was merely hypothetical.
Attack Investigated by Attorneys General of 43 States
As of November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases in the US and Canada related to the May 2020 ransomware attack and data breach, according to the Q3 Quarterly Report. 2020 filed with the SEC.
The company also revealed that government agencies and data regulators, including a Consolidated Multi-State Civil Investigation Lawsuit filed on behalf of the attorneys general of 43 states and the District of Columbia, have also conducted investigations into the attack.
Blackbaud also confirmed in its July 2020 press release (which it now redirects to the company’s security page) that it paid the ransom requested by the attackers after receiving confirmation that all stolen data was destroyed.
“Because protecting our customers’ data is our top priority, we paid off the cybercriminal’s claim with confirmation that the copy they removed had been destroyed,” Blackbaud said.
“Based on the nature of the incident, our investigation, and the investigation of third parties (including law enforcement), we have no reason to believe that the data went beyond the cybercriminal, was or will be misused, or will be disseminated or made available. otherwise. in public.”
