Blackbaud penalized $3M for not disclosing the full scope of ransomware attack

Software firm Blackbaud has agreed to pay a $3 million penalty for failing to disclose the full scope of the ransomware attack it suffered in 2020, according to the US Securities and Exchange Commission (SEC).

South Carolina headquartered Blackbaud provides donor relationship management software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.

The company detected unauthorized access to its systems on May 14, 2020, which impacted 13,000 customers. On July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers.

However, in its order last week, SEC found that Blackbaud personnel were aware that the attacker also accessed bank account information and social security numbers but that the company failed to inform the same to authorities and customers.

Without admitting or denying the SEC findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty, the SEC said in a press statement.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, chief of the SEC enforcement division’s crypto assets and cyber unit, said in a statement. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

Ransomware attack began in February 2020

Blackbaud detected the ransomware attack in May 2020, but the attack had begun in February of the same year. The company personnel found messages from the attacker in the company’s system claiming to have exfiltrated data relating to Blackbaud’s customers, and subsequently demanding payment.

Blackbaud along with a third-party cybersecurity firm investigated the incident. The company also engaged in communications with the attacker to coordinate the payment of a ransom in exchange for the attacker’s promise to delete the exfiltrated data.

By July 16, 2020, the company analyzed the exfiltrated file names to identify which products and customers were impacted. However, the company did not analyze the content of any of the exfiltrated files, the SEC order said.

Blackbaud found that the attacker had exfiltrated at least a million files and based on the file name review, the company identified over 13,000 impacted customers and multiple impacted products, including various versions of the company’s donor relationship software.

The company announced the incident for the first time on its website on July 16, 2020, and sent notices to impacted customers claiming the cybercriminals did not access bank account information or social security numbers. However, by the end of the same month, company personnel learned that the attacker had, in fact, accessed donor bank account information and social security numbers in an unencrypted form for a number of the impacted customers, the SEC order said. 

“Although the company’s personnel were aware of the unauthorized access and exfiltration of donor bank account numbers and social security numbers by the end of July 2020, the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so,” the SEC order said. 

Blackbaud’s series of nondisclosures

Blackbaud has been accused of a series of nondisclosures by the SEC. In a regulatory filing in August 2020, Blackbaud said, “the cybercriminal removed a copy of a subset of data.”

In the same regulatory filing, the company made no reference to the attacker removing any sensitive donor data, and made no mention of the exfiltration of donor social security numbers and bank account numbers, the SEC order said. 

“This statement omitted the material fact that a number of customers had unencrypted bank account and social security numbers exfiltrated, in contrast to the company’s unequivocal, and ultimately erroneous claims in the July 16, 2020, website post and customer notices,” the SEC order noted. 

“A compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties,” Blackbaud said in a section of the August 2020 filing that talked about cybersecurity risks.

This statement also omitted the material fact that such data was in fact exfiltrated by the attacker, which entailed that the risks of such an attack on the company’s business were no longer hypothetical.

It was only on September 29, 2020 that Blackbaud furnished another statement to the regulator concerning the incident and acknowledged for the first time that “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames, and/or passwords.” 

The company also sent notices to customers that Blackbaud believed had such sensitive donor information accessed and exfiltrated. 

The SEC investigation also found that the company did not have controls or procedures designed to ensure that information relevant to cybersecurity incidents and risks were communicated to the company’s senior management and other disclosure personnel.