Cloud software company Blackbaud has agreed to pay a $3 million settlement for misleading disclosures about a ransomware attack that happened nearly three years ago in May 2020.
A public company that provides donor data management software to nonprofits and educational institutions has collapsed, until now (opens in a new tab)to reveal a ransomware attack of which he was aware at the time.
More than 13,000 customers are believed to have been affected by the attack, exposing personal information such as names, addresses, email addresses and phone numbers.
Blackbaud ransomware attack in 2020
US Securities and Exchange Commission (SEC) explained (opens in a new tab) This “[…] in August 2020, the company filed a quarterly report with the SEC that omitted this vital information about the scope of the attack and mischaracterized the risk of an attacker obtaining such sensitive donor information as hypothetical.”
The head of the SEC’s Crypto Assets and Cyber SEC unit, David Hirsch, noted that Blackbaud failed to inform investors in an accurate and timely manner about the ransomware attack – an obligation he has as a public company.
However, he complied with the threat and paid the cybercriminal’s demand with “confirmation that the copy he deleted was destroyed”, citing customer data as a key priority in his decision.
Due to poor communication and subsequent events, various sections and rules of the Securities Act of 1933 and Securities Exchange Act of 1934 were found to be in violation, resulting in a $3 million civil penalty and Blackbaud ceasing to commit these violations .
The company has yet to issue public comment on the settlement or reassure customers whose concerns were raised after the ransomware attack entered public discussion.