Estimated reading time: 1 minute, 0 seconds


Blackbaud has agreed to pay a $3-million civil penalty after the SEC found it made misleading disclosures about a 2020 ransomware attack. Blackbaud was ordered to cease and desist from violations of the Securities Act of 1933, according to a statement this week from the SEC.

The ransomware attack affected more than 13,000 of the nonprofit software company’s customers. The SEC characterized that number as a quarter of Blackbaud’s customers and Blackbaud said records of about 6 million individuals were involved. The SEC noted that on July 16, 2020 announced “the ransomware attacker did not access donor bank account information or Social Security numbers.” However, within days of that, Blackbaud determined in fact that that had been accessed.  But the company’s technology and customer relations personnel did not communicate this information to senior management “because the company failed to maintain disclosure controls and procedures,” according to the SEC. Blackbaud received more than 1,000 customer inquiries about the attack with some concerned they had uploaded sensitive data to fields that were not encrypted. A few days later, company service personnel used a Blackbaud script that acknowledged the fields were unencrypted. Last year, Blackbaud said the intrusion would cost it $25 million to $35 million.


Read 542 times
Rate this item
(0 votes)

Visit other PMG Sites:

PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.