Blackbaud settles with SEC over misleading ransomware information

blue digital lights in a zig zag pattern

Image via Unsplash

Blackbaud has agreed to settle charges due to misleading information regarding a ransomware attack the company suffered in 2020. The SEC found that when Blackbaud announced the attack they claimed that the ransomware did not access donor bank account information or social security numbers.

Within days of these statements, according to the SEC, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information. According to the SEC, the employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures.

Due to this failure, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.

Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.