To settle their charges, Blackbaud has agreed to pay $3 million. The Securities and Exchange Commission (SEC) accused Blackbaud of failing to fully disclose the effects of a 2020 ransomware assault that affected more than 13,000 customers.
Many organizations, including those from the United States, The Netherlands, Canada, and the United Kingdom, are among those affected by the incident, as well as foundations, non-profits, charities, and universities worldwide.
Blackbaud has consented to pay a civil fine of $3 million to settle the SEC’s accusations against it for failing to report the entire extent of the cyberattack (without confirming or disputing the SEC’s conclusions, though).
Today we announced that Blackbaud Inc., a public company that provides donor data management software to non-profit organizations, agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.
— U.S. Securities and Exchange Commission (@SECGov) March 9, 2023
David Hirsch, the chief of the Crypto Assets and Cyber Section of the SEC Enforcement Division, claimed that despite discovering that it’s earlier public comments regarding the incident were false, Blackbaud neglected to reveal the entire consequences of a ransomware attack.
Public corporations must give their investors accurate and timely material information; Blackbaud did not comply.
The corporation allegedly told the SEC in July 2020 that the perpetrators of the May 2020 ransomware assault did not have access to donors’ social security numbers or bank account information.
Although the threat actors had accessed and taken this private data, Blackbaud’s IT and customer service staff quickly realized this.
The corporation needed more adequate disclosure controls and processes. Thus they were unable to report it to management. Blackbaud was compelled to file an SEC report the next month as a result, although it omitted crucial details regarding the scope of the breach.
Additionally, it was misrepresented in the study that there was only a remote chance that attackers would gain such sensitive donor information.
Punishment For SEC Blackbaud
Forty-three state attorneys general is looking into the assault; as of November 2020, 23 potential consumer class action lawsuits against Blackbaud have already been filed in the United States, according to the 2020 Q3 Quarterly report submitted to the SEC and Canada relating to the May 2020 ransomware attack and data breach.
The business also disclosed that government organizations and data regulators had made inquiries into the attack, such as a unified multi-state civil investigative demand on behalf of 43 state attorneys general and the District of Columbia.
The news release from Blackbaud from July 2020 (which has since been redirected to the business’ security page) also stated that the company paid the ransom demanded by the hackers after learning that all the stolen data had been completely wiped out.
As securing our client’s data is our first priority, Blackbaud said that it complied with the cybercriminal’s demand and provided proof that the copy he had taken had been destroyed.
We have no reason to assume that anybody besides the cybercriminal utilized any data, was mishandled or would be made available to the public in any other way, according to the incident’s nature, our research, and third-party investigations (including law enforcement).
Conclusion
Blackbaud, a data management business, and the Securities and Exchange Commission have settled claims that they misled investors about a 2020 ransomware assault that affected more than 13,000 of the company’s clients for $3 million. Blackbaud reported on July 16, 2020, that ransomware perpetrators had compromised neither donor bank account information nor Social Security numbers. This turned out to be untrue.
Days after the initial statement was made public, the company’s IT employees discovered the mistake but failed to notify senior management. The next month, the company’s quarterly report to the SEC should have mentioned this information. The SEC claimed the corporation “misleadingly portrayed the danger of an adversary accessing such sensitive donor information as hypothetical” in addition to failing to disclose the incident.
According to David Hirsch, the SEC Enforcement Division’s Crypto Assets and Cyber Section head, public firms must remember to give their investors accurate and timely important information. “As the ruling states, Blackbaud neglected to disclose the entire consequences of a ransomware assault even though its workers learned that its earlier public statements regarding the attack were false,” he stated.
The action is a key step toward holding businesses accountable for failing to properly disclose cyberattacks. It’s a significant step, according to Brett Callow, security analyst for Emsisoft, and this is the first time the SEC has reacted to a ransomware disclosure.