Blackbaud, a cloud-based software provider for nonprofits, universities, healthcare organizations, and more, fell victim to a ransomware attack in May 2020 that compromised the data of more than 13,000 customers.
Unfortunately, the company did not disclose the full extent of the breach and made misleading statements about the nature and impact of the incident. As a result, Blackbaud was recently fined $3 million by the U.S. Securities and Exchange Commission (SEC) for violating federal securities laws.
According to Blackbaud's public statements and regulatory filings in 2020, the company discovered a ransomware attack on its systems and successfully prevented the attackers from blocking access to its data or encrypting its files.
However, before being locked out, the attackers managed to copy some of Blackbaud's customers' data, including names, addresses, phone numbers, email addresses, dates of birth, donation history, and other personal information. Blackbaud decided to pay an undisclosed ransom to the attackers in exchange for their assurance that they had deleted the stolen data, SC Media reports.
The company claimed it had no reason to believe that any data was misused or made public by the attackers. The company also said that it had hired third-party experts to monitor the Dark Web for any evidence of data exposure.
However, Blackbaud did not notify its customers or investors about the ransomware attack until July 2020, two months after it occurred. Blackbaud also failed to reveal that some of its customers' financial data and Social Security numbers were also accessed by the attackers until September 2020, which is exactly why the SEC came knocking on their door.
The SEC charged Blackbaud with making misleading disclosures about the scope and impact of the ransomware attack in violation of federal securities laws. The SEC found that Blackbaud's statements were important for investors and customers to assess the risk and potential harm of the breach.
As a result, Blackbaud agreed to pay $3 million to settle the SEC charges without admitting to or denying them. The company also agreed to cease and desist from committing or causing any future violations of federal securities laws.
David Hirsch, Chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit, discussed the case:
"As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous. Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so."
The Blackbaud case certainly illustrates some of the challenges and risks faced by organizations when dealing with ransomware attacks. It's important to remember that paying a ransom does not always guarantee hackers will delete stolen data, and that withholding information about a breach can damage trust and reputation with customers and investors.
Full transparency is so important when it comes to cyberattacks, as it's the only way we can all build to better protect each other from these threats.
Follow SecureWorld News for more stories related to cybersecurity.