Cloud software provider Blackbaud agreed to pay $3 million to settle claims for regulatory filings in the wake of a major ransomware attack in 2020.
The South Carolina-based company, which sells software to nonprofits, schools, and other “social good” organizations, discovered and contained the May 2020 attack, but found that the attackers had killed customers. He said at the time that he had successfully stolen sensitive data.
After claiming to have paid extortionists, Blackbaud said it had no reason to believe that the stolen data would be “misused or misappropriated or disseminated or otherwise made public.” .
However, an SEC order issued late last week claimed that Blackbaud’s quarterly report filed in August 2020 omitted details about the scope of the attack.
Learn more about Blackbaud here: Blackbaud Breach Hits 9 More Universities
The company said the risk of donor information being stolen by hackers was “hypothetical,” the regulator said. In fact, Blackbaud’s technical staff and his customer service staff knew that the donor’s bank account and social security information had been stolen, but had not communicated this to senior management.
The SEC determined that this was due to a failure to properly maintain disclosure controls and procedures.
David Hirsch, head of the SEC’s Enforcement Division’s Crypto Assets and Cyber Unit, said: “As the order found, Blackbaud was in the wrong, even though officials knew that previous public statements about the attack were false. Regardless, we were unable to disclose the full impact of the ransomware attack.
“Public companies have an obligation to provide investors with accurate, timely and material information. Blackbaud has failed to do so.”
The $3 million civil penalty to be paid by Blackbaud is not an admission of guilt. However, the company has agreed to stop and cease any activity that violates securities and exchange laws.
Ultimately, the ransomware breach affected more than 13,000 customers, the SEC said.
Editorial image credit: Aleksandkozak / Shutterstock.com
