"Blackbaud Settles $3m Charge Over Ransomware Attack"

Cloud software provider Blackbaud has recently agreed to pay $3m to settle charges over regulatory filings it made following a major 2020 ransomware attack.  The South Carolina-based firm, which sells software to non-profits, schools, and other “social good” organizations, said at the time that it discovered and contained the May 2020 attack, but threat actors managed to steal sensitive data belonging to customers.  Blackbaud paid their extorters and stated at the time that they had no reason to believe the stolen data was or will be misused, or will be disseminated, or otherwise made available publicly.  However, the SEC’s order published late last week claimed that a quarterly report Blackbaud filed in August 2020 omitted details about the scope of the attack.  The firm had said the risk of donor information being taken by the hackers was “hypothetical.” The SEC stated that, in reality, Blackbaud tech and customer service staff knew that donor bank account details and social security information had been stolen but didn’t communicate this to senior management.  The SEC ruled that this was down to a failure to properly maintain disclosure controls and procedures.  David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, stated that Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that their earlier public statements about the attack were erroneous.  Hirsch noted that public companies have an obligation to provide their investors with accurate and timely material information and that Blackbaud failed to do so.  The firm has agreed to cease and desist from committing violations of the Securities Act and Securities Exchange Act.  In the end, the ransomware breach impacted over 13,000 customers, the SEC said.

Infosecurity reports: "Blackbaud Settles $3m Charge Over Ransomware Attack"