Blackbaud Inc., which sells donor data management software to nonprofits, agreed Thursday to pay the Securities and Exchange Commission $3 million in a settlement regarding disclosures about a 2020 ransomware attack.
The SEC accused Blackbaud of violating federal law by disclosing misleading information that failed to mention complete customer information seized in the cyber attack. This failure was due in part to the fact that company employees neglected to notify upper management that sensitive data had been obtained.
On May 14, 2020, Blackbaud discovered that someone had been gaining unauthorized access to their internal systems since February 2020, and found messages from the perpetrator saying that customer data had been taken from the system.
The attacker demanded a ransom in exchange for deleting the stolen data. A third-party vendor was hired to investigate and arrange communication with the attacker to ultimately arrange the payment of the ransom.
By July 16, 2020, Blackbaud discovered that at least one million files belonging to more than 13,000 customers had been taken. Several products, including several versions of Blackbaud’s donor management software, were also affected.
Blackbaud publicly disclosed the attack that day, including more than 13,000 affected customers. In the announcement, Blackbaud said the perpetrator did not have access to bank account information or Social Security numbers.
In the following days, Blackbaud received more than 1,000 reports from customers regarding the cyber attack. Several customers raised concerns about the possibility that bank donor and Social Security data was uploaded to Blackbaud’s software using unencrypted fields or otherwise included in unencrypted attachments.
By July 21, 2020, Blackbaud began admitting to customers that their concerns about unencrypted fields and attachments had come true. By the end of the month, Blackbaud confirmed that the perpetrator had stolen donors’ Social Security information and banking information.
The technical and maintenance personnel who confirmed the theft of this information did not report it to senior management. The SEC said there was no internal policy to ensure they did so.
As a result, in a subsequent SEC filing in August 2020, Blackbaud failed to mention that the banking information and Social Security numbers of their clients’ donors had been stolen.
In a filing dated September 29, 2020, the company finally acknowledged that a cybercriminal could have accessed unencrypted fields designed to exploit sensitive donor data. Around that time, customers whose data Blackbaud believed had been stolen were told the same thing.
The staff’s negligence and the resulting disclosure of false information by senior management violated federal law, the SEC said, even if management was unaware of the violations when they were committed.
Blackbaud has agreed to pay the settlement and cease the breaches by ensuring that all relevant information about the data breaches reaches senior staff responsible for disclosure. In doing so, Blackbaud neither acknowledged nor denied the SEC’s claims.
