Blackbaud to pay $3M for misleading ransomware attack disclosure

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

The organizations impacted by the incident include , such as charities, foundations, non-profits, and universities worldwide, from the U.S., Canada, the U.K., and the Netherlands.

To settle the SEC’s charges (but without confirming or denying the SEC’s findings), Blackbaud has agreed to pay a $3 million civil penalty for failing to disclose the full scope of the cyber attack.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, the head of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.

“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

According to the SEC, the company  in July 2020 that the attackers behind the May 2020 ransomware attack had not gained access to donor bank account details or social security numbers. 

However, Blackbaud’s technology and customer relations staff soon learned that the threat actors had accessed and stolen this sensitive information. 

Unfortunately, they failed to report it to management as the company lacked proper disclosure controls and procedures. This led to Blackbaud filing an SEC report the following month, which didn’t include vital information about the breach’s extent. 

Furthermore, the report misleadingly stated that the risk of such sensitive donor information obtained by attackers was merely hypothetical. 

Attack investigated by Attorneys Generals from 43 states

Until November 2020, Blackbaud had already been  in the U.S. and Canada related to the May 2020 ransomware attack and data breach, according to the  filed with the SEC.

The company also revealed that government agencies and data regulators, including a multi-state, consolidated Civil Investigative Demand issued on behalf of 43 state Attorneys Generals and the District of Columbia, have also made inquiries into the attack.

Blackbaud also confirmed in its  (which now redirects to the company’s ) that it paid the ransom requested by the attackers after receiving confirmation that all the stolen data was destroyed.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”