Security News > 2023 > March > Blackbaud to pay $3M for misleading ransomware attack disclosure

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission, alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

To settle the SEC's charges, Blackbaud has agreed to pay a $3 million civil penalty for failing to disclose the full scope of the cyber attack.

"As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous," said David Hirsch, the head of the SEC Enforcement Division's Crypto Assets and Cyber Unit.

"Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so."

According to the SEC, the company stated in July 2020 that the attackers behind the May 2020 ransomware attack had not gained access to donor bank account details or social security numbers.

Until November 2020, Blackbaud had already been sued in 23 proposed consumer class action cases in the U.S. and Canada related to the May 2020 ransomware attack and data breach, according to the 2020 Q3 Quarterly report filed with the SEC. The company also revealed that government agencies and data regulators, including a multi-state, consolidated Civil Investigative Demand issued on behalf of 43 state Attorneys Generals and the District of Columbia, have also made inquiries into the attack.

News URL

https://www.bleepingcomputer.com/news/security/blackbaud-to-pay-3m-for-misleading-ransomware-attack-disclosure/