South Carolina-based accounting solutions company Blackbaud Inc. agreed to settle with the Securities and Exchange Commission over its failure to disclose the full extent of a cyber attack in 2020.
The SEC said that, in July 2020, Blackbaud announced it had been the victim of a ransomware attack, but that the hackers did not access donors' bank account information or social security numbers. In August, the company released a 10-Q that made little mention of the incident, save that "the cybercriminal removed a copy of a subset of data." In that discussion, the company made no reference to the attacker removing any sensitive donor data, and in particular made no mention of the exfiltration of donor social security numbers and bank account numbers.
The SEC, however, said that this is exactly what happened. The ransomware attack happened in May of 2020. By the time July rolled around, IT and customer relations staff learned that the attacker had, in fact, stolen this sensitive data, making off with a million files concerning over 13,000, or roughly a quarter, of the company's customers. Furthermore, the company's IT and customer relations staff had worked with a third party to negotiate with the hackers and ultimately coordinate payment of a ransom in exchange for the attacker's promise to delete the exfiltrated data. These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures, according to the SEC.
"This statement omitted the material fact that a number of customers had unencrypted bank account and Social Security numbers exfiltrated, in contrast to the company's unequivocal, and ultimately erroneous claims in the July 16, 2020 website post and customer notices," said the
On September 29, 2020, Blackbaud furnished a Form 8-K concerning the incident. The company acknowledged for the first time that "the cybercriminal may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords." At or around that time, the company also sent supplemental notices to customers that Blackbaud believed had such sensitive donor information accessed and exfiltrated.
The SEC's order finds that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Without admitting or denying the SEC's findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.
"As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous," said David Hirsch, chief of the SEC Enforcement Division's crypto assets and cyber unit. "Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so."
