$3 Million Settlement with Blackbaud Resolves SEC Allegations of Misleading Disclosures About Ransomware Attack
The Securities and Exchange Commission (SEC) has agreed to a $3 million settlement with Blackbaud Inc. to resolve charges that the company issued misleading statements about the impact of its 2020 ransomware attack. Blackbaud is a Charleston, SC-based cloud computing provider that serves the social good community. In May 2020, malicious actors gained access to its self-hosted private cloud environment and used ransomware to encrypt files. The forensic investigation confirmed the hackers gained access to files that included donor information such as names, addresses, phone numbers, email addresses, and birth dates. According to Blackbaud, approximately 13,000 customers were affected.
In July 2020, Blackbaud confirmed that the attack was blocked before the attackers were able to encrypt its systems fully, but not in time to prevent a copy of certain data from being stolen from its cloud environment. Blackbaud paid the ransom to ensure the stolen information was deleted and received proof that the stolen data had been deleted. Blackbaud initially said no financial information or Social Security numbers were exposed; however, Blackbaud later confirmed that a subset of individuals had their bank account information, Social Security numbers, and usernames and passwords exposed.
According to the SEC, Blackbaud publicly announced on July 16, 2020, that bank account information and Social Security numbers were not accessed, but within a few days of those public statements being made, its technology and customer relations staff learned that bank account information and Social Security numbers were in the dataset that was exfiltrated by the attackers. In August 2020, three months after the attack occurred, Blackbaud said in a 10-Q filing that there was only a hypothetical risk that data was stolen in the attack, then confirmed in an 8-K filing in September 2020 that Social Security numbers and bank account information may have been stolen.
Blackbaud did not deliberately issue misleading statements, as technology and customer relations personnel did not communicate the discovery of the theft of financial data and Social Security numbers to the senior management responsible for public disclosures. According to the SEC, Blackbaud failed to maintain disclosure controls and procedures. The SEC determined that Blackbaud had violated sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934, and Rules 12b-20, 13a-13, and 13a-15(a).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.” Blackbaud agreed to settle with the SEC with no admission or denial of the charges and agreed to pay a $3 million civil monetary penalty.
“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies, said Blackbaud Chief Financial Officer, Tony Boor. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape.”
