Blackbaud Fined $3M for 'Failing to Disclose' That Ransomware Attack Breached Private Data

  • By Kristal Kuykendall
  • 03/17/23

Blackbaud, a South Carolina-based provider of administrative, donor management, and CRM software to education and nonprofit organizations, has been fined $3 million by the U.S. Securities and Exchange Commission "for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers,” the federal agency said. 

The SEC order said that during the ransomware attack, bank account information and Social Security numbers of donors stored by Blackbaud customers were stolen by the attackers, but Blackbaud had told customers the opposite and subsequently omitted the information in quarterly filings with the SEC. 

“On July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or Social Security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information,” said the SEC order. “These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures.” 

In its August 2020 quarterly report filed with the SEC, Blackbaud “omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical,” the agency said.

“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so,” said David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. 

The agency ruled that Blackbaud violated two sections of the Securities Act of 1933 and one section of the Securities Exchange Act of 1934 as well as Rules 12b-20, 13a-13, and 13a-15(a). 

“Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions” and to pay the fine of $3 million, the agency said.

According to its website, Blackbaud provides cloud-based software for education and nonprofit fundraising and donor relationship management, enrollment, finance, grants and awards, and marketing management.

 

 

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].


Featured

  • stylized human profiles, tablets, and floating icons

    From Feedback to Flexibility: 5 AI Tools Teachers Should Try

    As a fifth-grade teacher and AI School Champion in the St. Vrain Valley School District, I've seen firsthand how artificial intelligence (AI) is transforming education. Here are five AI-enabled tools I've found especially powerful in my classroom and professional practice.

  • computer monitor with a bold AI search bar on the screen

    Google Rolls Out AI Mode in Search

    About a year after introducing AI Overviews for its flagship search offering, Google has announced broad availability of AI Mode in Search.

  • portable Wi-Fi hotspot rests on a stack of books and a laptop in a library

    Senate Votes to Rescind E-Rate Program Funding Loaner WiFi Hotspots for Schools and Libraries

    The Senate has passed a joint resolution to overturn "Addressing the Homework Gap Through the E-Rate Program," a July 2024 expansion to the FCC's E-Rate program that allowed schools and libraries to utilize E-Rate resources to loan out WiFi hotspots to students, school staff, and library patrons.

  • silhouetted student stands before the White House, surrounded by abstract digital graphics of brains, circuits, and AI elements

    White House Sets Sights on AI Education

    A new executive order from President Donald Trump aims to advance America's position in artificial intelligence technology by incorporating AI into education and providing AI training for educators.