The SEC’s finding Blackbaud made misleading statements about a 2020 ransomware attack has led to the company agreeing to a $3-million civil penalty. The company also agreed to cease and desist from violations of the Securities Act of 1933, the agency said this week.'sOn July 16, 2020, the non-profit software company announced “the ransomware attacker did not access donor bank account information or Social Security numbers,” according to the SEC statement. In fact, the attackers accessed unencrypted customer information.
The SEC said the event affected more than 13,000 of the nonprofit software company’s customers, which the agency described as a quarter of Blackbaud’s customers. Blackbaud said records of roughly 6 million individuals were involved. Last year, Blackbaud said the intrusion would cost it $25 million to $35 million.
While Blackbaud determined within days of the announcements that records had been accessed the company’s technology and customer relations personnel did not communicate this information to senior management “because the company failed to maintain disclosure controls and procedures,” according to the SEC.
Blackbaud received more than 1,000 customer inquiries about the attack with some concerned they had uploaded sensitive data to fields that were not encrypted. A few days later, company service personnel used a Blackbaud script that acknowledged the fields were unencrypted.
Blackbaud faces several lawsuits over the attack.
