Cloud software company Blackbaud has agreed to pay a $3 million settlement for misleading disclosures about a ransomware attack that happened almost three years ago, in May 2020.
The public company, which provides donor data management software to non-profit organizations and educational establishments, had failed, until now, to disclose a ransomware attack it was aware of at the time.
Said attack was believed to have affected over 13,000 customers, putting personally identifiable information like names, addresses, email addresses, and phone numbers at risk.
Blackbaud’s 2020 ransomware attack
The US Securities and Exchange Commission (SEC) explained that “[…] in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.”
Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, David Hirsch, noted that Blackbaud failed to inform investors in an accurate and timely manner about the ransomware attack – an obligation it has as a public company.
However, it complied with the threat and paid the cybercriminal’s demand “with confirmation that the copy they removed had been destroyed”, citing customer data as a key priority in its decision.
Due to its poor communication and subsequent events, various sections and rules of the Securities Act of 1933 and Securities Exchange Act of 1934 were found to have been violated, resulting in a $3 million civil penalty and Blackbaud’s cease and desist from committing these violations.
The company has not yet made a public comment about the settlement, nor has it issued any reassurance to customers whose doubts have been raised following the ransomware attack entering public discussions.
Here are the best cloud hosting providers and best cloud backup tools right now
