Software program agency Blackbaud has agreed to pay a $3 million penalty for failing to reveal the total scope of the ransomware assault it suffered in 2020, in keeping with the US Securities and Trade Fee (SEC).
South Carolina headquartered Blackbaud supplies donor relationship administration software program to numerous non-profit organizations, together with charities, greater schooling establishments, Ok-12 faculties, healthcare organizations, spiritual organizations, and cultural organizations.
The corporate detected unauthorized entry to its techniques on Might 14, 2020, which impacted 13,000 clients. On July 16, 2020, Blackbaud introduced that the ransomware attacker didn’t entry donor checking account data or social safety numbers.
Nevertheless, in its order final week, SEC discovered that Blackbaud personnel had been conscious that the attacker additionally accessed checking account data and social safety numbers however the firm failed to tell the identical to authorities and clients.
With out admitting or denying the SEC findings, Blackbaud agreed to stop and desist from committing violations of those provisions and to pay a $3 million civil penalty, the SEC mentioned in a press assertion.
“Because the order finds, Blackbaud did not disclose the total impression of a ransomware assault regardless of its personnel studying that its earlier public statements in regards to the assault had been misguided,” David Hirsch, chief of the SEC enforcement division’s crypto property and cyber unit, mentioned in an announcement. “Public firms have an obligation to supply their buyers with correct and well timed materials data; Blackbaud failed to take action.”
Ransomware assault started in Feb 2020
Blackbaud detected the ransomware assault in Might 2020, however the assault had begun in February of the identical yr. The corporate personnel discovered messages from the attacker within the firm’s system claiming to have exfiltrated information referring to Blackbaud’s clients, and subsequently demanding cost.
Blackbaud together with a third-party cybersecurity agency investigated the incident. The corporate additionally engaged in communications with the attacker to coordinate the cost of a ransom in alternate for the attacker’s promise to delete the exfiltrated information.
By July 16, 2020, the corporate analyzed the exfiltrated file names to determine which merchandise and clients had been impacted. Nevertheless, the corporate didn’t analyze the content material of any of the exfiltrated recordsdata, the SEC order mentioned.
Blackbaud discovered that the attacker had exfiltrated at the least one million recordsdata and based mostly on the file title evaluation, the corporate recognized over 13,000 impacted clients and a number of impacted merchandise, together with numerous variations of the corporate’s donor relationship software program.
The corporate introduced the incident for the primary time on its web site on July 16, 2020, and despatched notices to impacted clients claiming the cybercriminals didn’t entry checking account data or social safety numbers. Nevertheless, by the tip of the identical month, firm personnel realized that the attacker had, in truth, accessed donor checking account data and social safety numbers in an unencrypted type for plenty of the impacted clients, the SEC order mentioned.
“Though the corporate’s personnel had been conscious of the unauthorized entry and exfiltration of donor checking account numbers and social safety numbers by the tip of July 2020, the personnel with this details about the broader scope of the impacted information didn’t talk this to Blackbaud’s senior administration answerable for disclosures, and the corporate didn’t have insurance policies or procedures in place designed to make sure they achieve this,” the SEC order mentioned.
Sequence of non-disclosure
Blackbaud has been accused of a sequence of non-disclosures by the SEC. In a regulatory submitting in August 2020, Blackbaud mentioned, “the cybercriminal eliminated a duplicate of a subset of knowledge.”
In the identical regulatory submitting, the corporate made no reference to the attacker eradicating any delicate donor information, and made no point out of the exfiltration of donor social safety numbers and checking account numbers, the SEC order mentioned.
“This assertion omitted the fabric undeniable fact that plenty of clients had unencrypted checking account and social safety numbers exfiltrated, in distinction to the corporate’s unequivocal, and finally misguided claims within the July 16, 2020, web site publish and buyer notices,” the SEC order famous.
“A compromise of our information safety that leads to buyer or donor private or cost card information being obtained by unauthorized individuals may adversely have an effect on our fame with our clients and others, in addition to our operations, outcomes of operations, monetary situation and liquidity and will lead to litigation in opposition to us or the imposition of penalties,” Blackbaud mentioned in a piece of the August 2020 submitting that talked about cybersecurity dangers.
This assertion additionally omitted the fabric undeniable fact that such information was in truth exfiltrated by the attacker, which entailed that the dangers of such an assault on the corporate’s enterprise had been not hypothetical.
It was solely on September 29, 2020 that Blackbaud furnished one other assertion to the regulator regarding the incident and acknowledged for the primary time that “the cybercriminal might have accessed some unencrypted fields meant for checking account data, social safety numbers, usernames, and/or passwords.”
The corporate additionally despatched notices to clients that Blackbaud believed had such delicate donor data accessed and exfiltrated.
The SEC investigation additionally discovered that the corporate didn’t have controls or procedures designed to make sure that data related to cybersecurity incidents and dangers had been communicated to the corporate’s senior administration and different disclosure personnel.
Copyright © 2023 IDG Communications, Inc.
