South Carolina-based software firm Blackbaud has agreed to pay a $3 million penalty for failing to disclose the full scope of a 2020 ransomware attack that impacted more than 13,000 nonprofit customers, the United States Securities and Exchange Commission reports.

The company, which provides donor relationship management software to nonprofit organizations, detected unauthorized access to its systems on May 14, 2020, and on July 16, 2020, announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, company personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information, and the company did not communicate this information to senior management responsible for its public disclosure as the company failed to maintain disclosure controls and procedures. In August 2020, Blackbaud filed a quarterly report with the SEC that omitted information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining this information as hypothetical.

According to CSO Online, the SEC investigation also found that the company did not have controls or procedures designed to ensure that information relevant to cybersecurity incidents and risks were communicated to the company’s senior management and other disclosure personnel.

Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay the civil penalty.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC Enforcement Division’s crypto assets and cyber unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

(Photo credit: Getty Images/WhataWin)