Blackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger’s customers.
According to America’s financial watchdog, the SEC, Blackbaud will cough up the cash – without admitting or denying the regulator’s findings – and will cease and desist from committing any further violations.
“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies,” Tony Boor, the outfit’s chief financial officer, said told The Register.
“Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape,” Boor added.
For perspective: the South Carolina-based firm – which provides, among other things, donor management tools to nonprofits – banked $1.1 billion in revenue in 2022, resulting in a $45.4 million loss. This settlement is the least of the biz’s concerns, we imagine.
Slap on the wrist
Here’s what happened: back in May 2020, Blackbaud experienced a ransomware infection, quietly paid off the crooks, and didn’t tell customers about the security breach until July 2020. And when the software company did notify customers, it assured them that the “cybercriminal did not access…bank account information, or social security numbers,” according to the SEC order [PDF].
By the end of that month, however, the SEC claims that Blackbaud personnel discovered that the miscreants had accessed unencrypted donor bank account information and social security numbers. But the employees allegedly didn’t tell senior management about the theft of sensitive customer data because Blackbaud “did not have policies or procedures in place designed to ensure they do so,” the court documents say. Make of that what you will.
This, in turn, resulted in the company filing a quarterly SEC report that omitted this material information about the scope of the cyberattack, and according to the agency, “misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.”
A month later, company execs filed an amended Form 8-K [PDF] about the ransomware infection, and admitted for the first time that criminals “may have accessed some unencrypted” customer banking information. Oops.
“”As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit said in a statement. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
The ransomware infection — and lack of transparency about the security snafu — also sparked several class action lawsuits against Blackbaud. This might prove a very expensive error. ®