Blackbaud has agreed to settle charges due to misleading information regarding a ransomware attack the company suffered in 2020. The SEC found that when Blackbaud announced the attack they claimed that the ransomware did not access donor bank account information or social security numbers.
Within days of these statements, according to the SEC, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information. According to the SEC, the employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures.