Blackbaud to pay $3M for misleading disclosures on ransomware attack
(Reuters) — Software company Blackbaud Inc. has agreed to pay $3 million to settle charges it made misleading disclosures about a 2020 ransomware attack that affected more than 13,000 customers, the U.S. Securities and Exchange Commission said on Thursday.
In July 2020, the South Carolina-based provider of donor data management software disclosed a ransomware attacker and said the attacker had not accessed bank account information or Social Security numbers of donors, the SEC said.
“Within days” of those disclosures, some company employees learned the attacker had accessed and taken that information, but the employees did not tell senior managers responsible for public disclosure because the firm failed to maintain disclosure controls and procedures, the SEC said.
In August 2020, the SEC said, Blackbaud filed a quarterly report with the agency that omitted material information about the scope of the attack.
Representatives for Blackbaud, which did not admit or deny the SEC’s findings, did not respond immediately to a request for comment.
The regulator has pushed public companies and registered entities to make more timely and specific disclosures about cyberattacks.
The SEC is set to unveil an effort next week to control how broker-dealers and others tackle the risk of hacking and respond to theft of customer data, continuing a regulatory drive on cybersecurity in the financial sector.