Skip to main content
close search
site logo

Blackbaud to pay $3M to settle SEC charges of a misleading ransomware investigation

The regulator said the cloud-based software provider made misleading disclosures about the scope of a 2020 ransomware attack.

Published March 10, 2023
David Jones's headshot
Reporter
The U.S. Securities and Exchange Commission seal hangs on the facade of its building Sept. 18, 2008, in Washington, D.C. Chip Somodevilla via Getty Images

The Securities and Exchange Commission announced a settlement with Blackbaud Thursday over charges that the South Carolina-based software company misled investors through regulatory filings in disclosures related to a 2020 ransomware attack that affected 13,000 customers.

Blackbaud agreed to pay $3 million to settle charges for making misleading disclosures about the attack in public statements and regulatory filings, according to the SEC. 

The company in July 2020 stated threat actors did not access donor bank account information or social security numbers. Days later, Blackbaud employees discovered sensitive data was exfiltrated but did not convey that information to senior management, according to the SEC.

As a result, in a 10-Q filing in August 2020, the company said the risk of such data being stolen was only hypothetical, according to the SEC. 

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, said in the announcement. “Public companies have an obligation to provide their investors with accurate and timely material information.” 

“Blackbaud failed to do so," Hirsch said.

The company later tried to clean up the misleading information in September 2020 by confirming in an 8-K filing that unencrypted bank account information and social security numbers may in fact have been stolen by the hackers. 

“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continuously improves its reporting and disclosure policies,” CFO Tony Boor said in a statement released to Cybersecurity Dive. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyber attacks in an ever-changing threat landscape.”

Blackbaud has since made a number of governance changes to strengthen its cybersecurity policies and procedures, including strengthening its incident response, patching and penetration testing.

The company hired Chuck Miller as its new CISO in April 2022 and months later added United Airlines CISO Deneen DeFiore to its board of directors to bolster its top-level cyber expertise and oversight. 

Blackbaud provides cloud-based software to schools, healthcare organizations and other nonprofit groups to help with accounting, fundraising, social governance and other purposes.

The Federal Trade Commission as well as the state Atttorney’s General of Vermont and Indiana assisted in the investigation.

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Breaches
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell