Yahoo Autos SEC charges Blackbaud for failing to disclose 'full impact' of ransomware attack
Software house Blackbaud has agreed to pay $3 million to settle charges related to a May 2020 ransomware attack that exposed customers’ bank account data, the U.S Security and Exchange Commission said on Thursday.
The SEC charged Blackbaud, whose cloud software is used by colleges, universities, nonprofits and far-right organizations, for making "misleading disclosures" about the cyberattack that affected more than 13,000 Blackbaud customers.
Although Blackbaud discovered the ransomware attack in May 2020, the company didn’t disclose the incident until the following July. At the time, the South Carolina-based company told affected customers that only names, addresses, email addresses and telephone numbers had been stolen, asserting that “the cybercriminal did not access credit card information, bank account information, or Social Security numbers."
But the SEC alleges that Blackbaud's technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information "within days," but did not tell senior managers responsible for public disclosure because the firm failed to maintain disclosure controls and procedures. Blackbaud didn’t admit that attackers had accessed customers’ bank account data and Social Security numbers until September in a filing with the SEC.
