Cloud computing provider Blackbaud has been ordered to pay a $3m civil penalty by the US Securities and Exchange Commission (SEC) over a ransomware attack in 2020.
The company was accused of “making misleading disclosures” and failing to maintain “disclosure controls and procedures” after hackers found unencrypted bank account and Social Security numbers of more than one million files stored by Blackbaud.
Despite detecting the breach in May 2020, it was not until September that the company publicly stated the attack resulted in the theft of “unencrypted donor bank account information and Social Security numbers”. The SEC said Blackbaud was afoul of federal law requiring truthful disclosures, even if it did not intend to omit material facts.
The breach affected at least 250 organisations in the US and elsewhere, and health data breaches affecting at least six million people were filed with the US Department of Health and Human Services.
Customers in Canada, Europe and New Zealand were also among those affected. Blackbaud still faces a consolidated class action lawsuit from plaintiffs alleging its “security program was woefully inadequate”. Attempts to have the case dismissed have been unsuccessful, although the court has dismissed some claims.
As part of the settlement agreement with the SEC, Blackbaud agreed to cease and desist from committing multiple violations of securities laws, including the need to maintain disclosure controls and proceedings.
Future violations could result in civil penalties. The company is also facing a reprimand from the UK’s Information Commissioner’s Office, which typically details an organisation’s violations of the General Data Protection Regulation and makes recommendations for addressing shortcomings.
