Blackbaud Inc., which sells donor data management software to nonprofits, agreed Thursday to pay the Securities and Exchange Commission $3 million in a settlement regarding disclosures of a 2020 ransomware attack.
The SEC charged that Blackbaud violated federal law in making misleading disclosures that failed to mention the full extent of customer information seized in the cyberattack. Part of that failure stemmed from company personnel neglecting to inform upper management that sensitive data had been taken.
On May 14, 2020, Blackbaud discovered that someone had been accessing their internal systems without authorization since as early as February 2020, and found messages from the perpetrator saying that customer data had been taken from the system.
The attacker demanded ransom in exchange for deleting the stolen data. A third-party vendor was hired to investigate, and to arrange communications with the attacker to eventually arrange payment of the ransom.
By July 16, 2020, Blackbaud figured out that at least a million files relating to over 13,000 clients had been taken. Several products, including multiple versions of Blackbaud’s donor management software, were also caught up in the attack.
On that day, Blackbaud publicly disclosed the attack, including to the over 13,000 affected customers. In the announcement, Blackbaud said that the criminal did not access bank account information or Social Security numbers.
In the days afterward, Blackbaud received over 1,000 messages from customers regarding the cyberattack. Multiple customers raised concerns over the possibility that donor banking and Social Security data had been uploaded to the Blackbaud software using non-encrypted fields, or otherwise included in non-encrypted attachments.
By July 21, 2020, Blackbaud had begun acknowledging to customers that their fears about non-encrypted fields and attachments were true. By the end of the month, Blackbaud had confirmed that the criminal stole donor Social Security and banking information.
The technical and customer service personnel that had confirmed the theft of that information did not tell senior management. There was no internal policy in place to ensure they did so, the SEC said.
As a result, in a subsequent SEC filing in August 2020, Blackbaud did not mention that the banking information and Social Security numbers of the donors of their customers had been stolen.
In a Sept. 29, 2020, filing, the company finally admitted that the cybercriminal may have accessed the non-encrypted fields meant to be used for sensitive donor data. Around that time, customers that Blackbaud believed had data stolen were told as much.
The negligence of the personnel and resulting false disclosures by senior management violated federal law, the SEC said, even though management was not aware of the violations when they were committed.
Blackbaud agreed to pay the settlement and to stop violations by ensuring that all relevant information about data breaches reached senior staff in charge of disclosures. Blackbaud, in doing so, neither admitted nor denied the SEC’s claims.