SEC charges Blackbaud for failing to disclose 'full impact' of ransomware attack

Software house Blackbaud has agreed to pay $3 million to settle charges related to a May 2020 ransomware attack that exposed customers’ bank account data, the U.S Security and Exchange Commission said on Thursday.

The SEC charged Blackbaud, whose cloud software is used by colleges, universities, nonprofits and far-right organizations, for making "misleading disclosures" about the cyberattack that affected more than 13,000 Blackbaud customers.

Although Blackbaud discovered the ransomware attack in May 2020, the company didn’t disclose the incident until the following July. At the time, the South Carolina-based company told affected customers that only names, addresses, email addresses and telephone numbers had been stolen, asserting that “the cybercriminal did not access credit card information, bank account information, or Social Security numbers."

But the SEC alleges that Blackbaud's technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information "within days," but did not tell senior managers responsible for public disclosure because the firm failed to maintain disclosure controls and procedures. Blackbaud didn’t admit that attackers had accessed customers’ bank account data and Social Security numbers until September in a filing with the SEC.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC enforcement division’s crypto assets and cyber unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

The Blackbaud ransomware attack impacted thousands of schools, universities and other nonprofit organizations, including Des Moines University, Human Rights Watch and the U.K.’s Labour Party. Blackbaud admitted that it paid a ransom to the hackers — a move discouraged by most law enforcement agencies — and claimed to have received “confirmation” that the attackers had destroyed the stolen personal data.

The SEC said on Thursday that, without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.

Blackbaud didn’t respond to our questions.