BlackBaud to pay $3M fine for concealing investor data breach

SEC fines BlackBaud $3 million for misleading investors over cyber attack
The Securities and Exchange Commission (SEC) has imposed a fine of $3 million on BlackBaud, the supplier of cloud CRM-systems, for misleading its investors about the Raising Program cyber attack that hit more than 13,000 customers of the company in 2020.
According to the SEC, BlackBaud announced on July 16, 2020, that no bank accounts or social insurance numbers (SSN) were affected during the attack. However, it was later discovered that this statement was false. Cybercriminals were able to access fields containing bank account information, SSNs, login credentials, and user passwords. Although most of these fields were encrypted, some were left unencrypted, leading to the breach.
Ironically, two months after the hack, BlackBaud released a statement that contradicted its earlier announcement. The company claimed that cybercriminals did not gain access to any credit card, bank account, or SSN information. The company also acknowledged that it paid a ransom to the cybercriminals to ensure that the remote copy of the data was destroyed.
BlackBaud’s IT staff failed to notify senior management about the cyber attack immediately, and the company did not disclose the incident in its quarterly report for the SEC, despite knowing that its public statements about the hack were incorrect. As a result of these actions, BlackBaud misled its investors and exposed them to unnecessary risks.
SEC enforcement division’s David Hirsch reminded public companies that they are required to provide their investors with accurate and timely information. Hirsch also warned that companies providing false information to the SEC could face collective lawsuits from their investors.
/Reports, release notes, official announcements.