Cloud software company Blackbaud has agreed to pay a €3 million settlement for misleading disclosures about a ransomware attack that occurred nearly three years ago in May 2020.
The public company, which provides donor data management software to nonprofits and educational institutions, had not disclosed until now (opens in a new tab) a ransomware attack that it was aware of at the time.
This attack reportedly affected more than 13,000 customers, putting personally identifiable information such as names, addresses, email addresses, and phone numbers at risk.
Blackbaud ransomware attack in 2020
The United States Securities and Exchange Commission (SEC) explained (opens in a new tab) that "in August 2020, the company filed a quarterly report with the SEC that omitted this important information about the scope of the attack and mischaracterized the risk of an attacker obtaining information as confidential from donors as hypothetical.
The head of the SEC Enforcement Division's Crypto and Cyber Assets Unit, David Hirsch, noted that Blackbaud failed to accurately and timely notify investors of the ransomware attack, an obligation it has as a public company.
However, it followed through on the threat, paying off the cybercriminal's demand "with confirmation that the copy they had erased had been destroyed," citing customer data as a key priority in its decision.
Due to their failure to communicate and the events that followed, various sections and rules of the Securities Law of 1933 and the Stock Exchange Law of 1934 were violated, resulting in a civil fine of €3 million and arrest and arrest. Blackbaud's leniency to commit these violations.
The company has yet to comment publicly on the deal, nor has it reassured customers whose concerns were raised after the ransomware attack entered public discussions.