Cloud software provider Blackbaud has agreed to pay $3m to settle charges over regulatory filings it made following a major 2020 ransomware attack.
The South Carolina-based firm, which sells software to non-profits, schools and other “social good” organizations, said at the time that it discovered and contained the May 2020 attack, but threat actors managed to steal sensitive data belonging to customers.
After claiming to have paid its extorters, Blackbaud said it had no reason to believe the stolen data “was or will be misused, or will be disseminated or otherwise made available publicly.”
However, the SEC’s order published late last week claimed that a quarterly report Blackbaud filed in August 2020 omitted details about the scope of the attack.
Read more on Blackbaud here: Blackbaud Breach Hits Nine More Universities
The firm had said the risk of donor information being taken by the hackers was “hypothetical,” the regulator noted. In reality, Blackbaud tech and customer service staff knew that donor bank account and social security information had been stolen, but didn’t communicate this to senior management, it added.
This was down to a failure to properly maintain disclosure controls and procedures, the SEC ruled.
“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.
“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
The $3m civil penalty Blackbaud will pay is not an admission of guilt. However, the firm has agreed to cease and desist from committing violations of the Securities Act and Securities Exchange Act.
In the end, the ransomware breach impacted over 13,000 customers, the SEC said.
Editorial image credit: Aleksandrkozak / Shutterstock.com