The U.S. Security and Exchange Commission (SEC) has ordered S.C.-based software solutions provider Blackbaud to pay $3M over “misleading disclosures” about a May 2020 ransomware attack that exposed customers’ bank account data.
The
SEC alleges that Blackbaud failed to promptly notify its customers
about the incident and was not transparent about what types of customer
data were stolen.
- Blackbaud
specializes in cloud software and services for non-profit
organizations, charities, foundations, and universities in the U.S.,
Canada, the U.K., and the Netherlands.
- The
May 2020 cyberattack affected 13,000 Blackbaud customers and has
resulted in more than 23 proposed consumer class action cases against
the company, based on the SEC’s 2020 Q3 Quarterly Report.
- According
to the SEC, Blackbaud discovered the ransomware attack in May 2020 but
did not disclose the incident until July. It also alleges that the
software solutions provider was dishonest as it told affected customers
that only names, addresses, email addresses, and telephone numbers had
been stolen but had left out that the threat actors had also stolen bank
account data and social security numbers.
- In
July 2020, Blackbaud announced that the stolen personal data “had been
destroyed,” which the SEC also labeled as a misleading claim, stating
that the company “failed to disclose the full impact of a ransomware
attack despite its personnel learning that its earlier public statements
about the attack were erroneous.”
- Blackbaud has agreed to pay the $3M to settle the aforementioned charges.
