April 13, 2024

Software program agency Blackbaud has agreed to pay a $3 million penalty for failing to reveal the complete scope of the ransomware assault it suffered in 2020, in line with the US Securities and Trade Fee (SEC).

South Carolina headquartered Blackbaud offers donor relationship administration software program to varied non-profit organizations, together with charities, greater training establishments, Okay-12 faculties, healthcare organizations, spiritual organizations, and cultural organizations.

The corporate detected unauthorized entry to its techniques on Might 14, 2020, which impacted 13,000 prospects. On July 16, 2020, Blackbaud introduced that the ransomware attacker didn’t entry donor checking account info or social safety numbers.

Nonetheless, in its order final week, SEC discovered that Blackbaud personnel have been conscious that the attacker additionally accessed checking account info and social safety numbers however the firm failed to tell the identical to authorities and prospects.

With out admitting or denying the SEC findings, Blackbaud agreed to stop and desist from committing violations of those provisions and to pay a $3 million civil penalty, the SEC stated in a press statement.

“Because the order finds, Blackbaud did not disclose the complete affect of a ransomware assault regardless of its personnel studying that its earlier public statements concerning the assault have been misguided,” David Hirsch, chief of the SEC enforcement division’s crypto property and cyber unit, stated in an announcement. “Public corporations have an obligation to offer their traders with correct and well timed materials info; Blackbaud failed to take action.”

Ransomware assault started in Feb 2020

Blackbaud detected the ransomware assault in Might 2020, however the assault had begun in February of the identical 12 months. The corporate personnel discovered messages from the attacker within the firm’s system claiming to have exfiltrated knowledge referring to Blackbaud’s prospects, and subsequently demanding fee.

Blackbaud together with a third-party cybersecurity agency investigated the incident. The corporate additionally engaged in communications with the attacker to coordinate the fee of a ransom in trade for the attacker’s promise to delete the exfiltrated knowledge.

By July 16, 2020, the corporate analyzed the exfiltrated file names to determine which merchandise and prospects have been impacted. Nonetheless, the corporate didn’t analyze the content material of any of the exfiltrated recordsdata, the SEC order stated.

Blackbaud discovered that the attacker had exfiltrated at the very least one million recordsdata and primarily based on the file identify evaluate, the corporate recognized over 13,000 impacted prospects and a number of impacted merchandise, together with varied variations of the corporate’s donor relationship software program.

The corporate introduced the incident for the primary time on its web site on July 16, 2020, and despatched notices to impacted prospects claiming the cybercriminals didn’t entry checking account info or social safety numbers. Nonetheless, by the tip of the identical month, firm personnel discovered that the attacker had, in reality, accessed donor checking account info and social safety numbers in an unencrypted kind for a lot of the impacted prospects, the SEC order stated. 

“Though the corporate’s personnel have been conscious of the unauthorized entry and exfiltration of donor checking account numbers and social safety numbers by the tip of July 2020, the personnel with this details about the broader scope of the impacted knowledge didn’t talk this to Blackbaud’s senior administration chargeable for disclosures, and the corporate didn’t have insurance policies or procedures in place designed to make sure they accomplish that,” the SEC order stated. 

Sequence of non-disclosure

Blackbaud has been accused of a sequence of non-disclosures by the SEC. In a regulatory submitting in August 2020, Blackbaud stated, “the cybercriminal eliminated a replica of a subset of information.”

In the identical regulatory submitting, the corporate made no reference to the attacker eradicating any delicate donor knowledge, and made no point out of the exfiltration of donor social safety numbers and checking account numbers, the SEC order stated. 

“This assertion omitted the fabric indisputable fact that a lot of prospects had unencrypted checking account and social safety numbers exfiltrated, in distinction to the corporate’s unequivocal, and in the end misguided claims within the July 16, 2020, web site submit and buyer notices,” the SEC order famous. 

“A compromise of our knowledge safety that ends in buyer or donor private or fee card knowledge being obtained by unauthorized individuals may adversely have an effect on our fame with our prospects and others, in addition to our operations, outcomes of operations, monetary situation and liquidity and will lead to litigation in opposition to us or the imposition of penalties,” Blackbaud stated in a piece of the August 2020 submitting that talked about cybersecurity dangers.

This assertion additionally omitted the fabric indisputable fact that such knowledge was in reality exfiltrated by the attacker, which entailed that the dangers of such an assault on the corporate’s enterprise have been now not hypothetical.

It was solely on September 29, 2020 that Blackbaud furnished one other assertion to the regulator in regards to the incident and acknowledged for the primary time that “the cybercriminal could have accessed some unencrypted fields meant for checking account info, social safety numbers, usernames, and/or passwords.” 

The corporate additionally despatched notices to prospects that Blackbaud believed had such delicate donor info accessed and exfiltrated. 

The SEC investigation additionally discovered that the corporate didn’t have controls or procedures designed to make sure that info related to cybersecurity incidents and dangers have been communicated to the corporate’s senior administration and different disclosure personnel.

Copyright © 2023 IDG Communications, Inc.