Blackbaud Settles With SEC for $3M on Donor Data Breach
Software giant Blackbaud has agreed to pay a $3 million fine to the Securities and Exchange Commission (SEC) for concealing the extent of a 2020 ransomware attack in which criminals obtained donors’ unencrypted bank account, credit card, and social security numbers.
The attack, which led the company to pay the attackers an undisclosed ransom via Bitcoin in exchange for their promise to delete the data, “resulted in the unauthorized access and exfiltration of over a million files concerning over 13,000, or roughly a quarter, of the company’s customers,” according to an SEC document outlining the agreement.
Blackbaud staff first discovered the three-month-old data breach in May 2020 — and proceeded to offer and sell company stock to its own employees during June 2020 — before finally disclosing the breach on July 16, 2020, according to the SEC consent order. A Blackbaud spokesperson told The NonProfit Times, in a story published that same day, that the disclosure delay of more than two months was due to the sophistication of the attack and the need for time to assess what happened but that no credit card, bank account information, or social security numbers had been stolen.
Blackbaud repeated the assertion both on its website and in notices to customers, a claim that was discredited days later when the company’s own personnel confirmed “that certain donor bank account information and social security numbers had been accessed and exfiltrated by the attacker in an unencrypted format, contrary to the claims in the company’s July 16, 2020 website post and notices,” according to the SEC’s findings.
Blackbaud, however, continued to downplay the incident during a late July 2020 quarterly earnings call where “analysts asked several questions about the cybersecurity incident, including concerning the nature of the data impacted, which the company did not answer,” the statement continued.
Blackbaud again “omitted this material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical” in a required August 4, 2020, SEC filing where it stated “only that the cybercriminal removed a copy of a subset of data,” according to the federal agency. Blackbaud said in the filing that a “compromise of our data security that results in customer or donor personal (sic) or payment card data being obtained by unauthorized persons could (sic) adversely affect our reputation with our customers and others” and “could result in litigation against us,” which omitted the fact that such a compromise had already occurred and was no longer hypothetical.
Access to MinistryWatch content is free. However, we hope you will support our work with your prayers and financial gifts. To make a donation, click here.
Blackbaud’s omissions “perpetuated the false impression, started with the company’s earlier website post and customer notices, that the incident did not result in the attacker accessing highly sensitive donor data – data at the core of the company’s business as a service provider helping institutions manage donor relationships – when in fact the company’s personnel learned before August 4, 2020 that such data had been accessed and exfiltrated by the attacker,” according to the SEC document.
In a statement Monday to The NonProfit Times attributed to Chief Financial Officer Tony Boor, Blackbaud said it was “pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies. Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape.”
Blackbaud agreed to pay the fine “without admitting or denying” the SEC’s findings, but has also agreed not to contest them.
Blackbaud might not yet be completely out of the woods on this, however. The company, with customers in 100 countries, continues to face legal and regulatory repercussions abroad and has been hit with several class-action lawsuits. Leaders had repeatedly declined to be publicly specific prior to the SEC agreement as to how many customers were impacted, having previously characterized them as “a small percentage of our total customers” of which “only a subset” were affected.
Blackbaud, a publicly-traded company on NASDAQ, most recently had a market capitalization of nearly $3.1 billion on yearly revenue of $1.05 billion and a net profit margin of negative 4.99%, with a debt-to-equity ratio of 115.46%. Its stock closed March 20 at $57.83 after hitting a 52-week high of $65.40 in June 2022 and a 52-week low of $43.40 in October. The price is down about 1.1% since the start of 2023 and down about 4.9% from a year ago.
In a disclosure to investors last month, company officials disclosed the total costs related to the security breach exceeded its insurance coverage during the first quarter of 2022 and that it anticipates making net cash outlays between $25 million and $35 million in 2023 for ongoing legal fees related to the breach.
This article was originally published by The NonProfit Times.