Cloud computing vendor Blackbaud has been slapped with a $3 million civil penalty by the Securities and Exchange Commission (SEC) for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers. The SEC found that Blackbaud was not forthcoming about the extent of the data-extortion malware attack and left out material information about the scope of the incident. In July 2020, Blackbaud confirmed it made a ransom payment to help with data recovery efforts after ransomware actors infected its corporate network.
The SEC revealed that Blackbaud’s incident notice, which has since been removed from its website, said the attackers did not access credit card data, bank account information or the social security numbers of its customers. However, the SEC found that this claim was misleading. Blackbaud failed to disclose that its personnel had learned that the attacker had in fact accessed and exfiltrated sensitive information. Due to this failure, the company filed a quarterly report with the SEC that was misleading and omitted material information about the scope of the attack.
David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, noted that Blackbaud failed in its obligation to provide their investors with accurate and timely material information. Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations and pay a $3 million civil penalty.
In conclusion, Blackbaud has been hit with a $3 million civil penalty by the SEC for failing to inform investors of the full extent of a 2020 ransomware attack. The company left out material information, misled investors, and failed to update their quarterly report with the SEC. Without admitting or denying the SEC’s findings, Blackbaud agreed to pay a $3 million civil penalty and cease and desist from committing violations.
Key Points:
• Blackbaud has been hit with a $3 million civil penalty by the SEC for failing to inform investors of the full extent of a 2020 ransomware attack.
• The company left out material information, misled investors, and failed to update their quarterly report with the SEC.
• Without admitting or denying the SEC’s findings, Blackbaud agreed to pay a $3 million civil penalty and cease and desist from committing violations.