Blackbaud to Pay $3 Million Over 'Erroneous' Breach DetailsAfter Ransomware Attack, Company Made 'Misleading Disclosures,' Regulator Finds
Memo to ransomware victims: If you suffer an "extortion event," as many victims have taken to calling such attacks lately, be sure to come clean with investors about what was stolen in a timely manner.
That's the top-line takeaway from a U.S. Securities and Exchange Commission probe into publicly traded cloud computing provider Blackbaud, which stands accused of "making misleading disclosures about a ransomware attack that impacted more than 13,000 customers."
The company filed an August 2020 quarterly report omitting facts about its cybersecurity incident by not disclosing that hackers found unencrypted bank account and Social Security numbers, regulators wrote in an order directing Blackbaud to pay a $3 million civil penalty.
More than 1 million files stored by Blackbaud were exposed as part of a February 2020 ransomware attack the company detected three months later. At first, Blackbaud said in a data breach notification that no donors' bank account or Social Security numbers appeared to have been stolen. Poor internal controls meant senior management didn't realize the facts held otherwise when the company filed its quarterly report, the order states. Not until several weeks later did the truth bubble upward - a scenario regulators say puts Blackbaud afoul of federal law requiring truthful disclosures, even if it didn't intend to omit material facts.
"The company failed to maintain disclosure controls and procedures," the regulator says.
As is typical with such settlement agreements, the company has not confirmed or denied any wrongdoing.
At least 250 U.S.-based organizations - healthcare entities, educational institutions, nonprofits and more - appear to have been affected by the attack on Blackbaud. Resulting health data breaches affecting at least 6 million individuals were filed with the U.S. Department of Health and Human Services. Customers in Canada, Europe and New Zealand were also among those affected.
The company still faces the prospect of a consolidated class action lawsuit alleging in part that the company's "security program was woefully inadequate." The company's attempts to get the lawsuit dismissed have been unsuccessful, although the court has dismissed some claims. Plaintiffs in December filed a motion for class certification, which Blackbaud has said it will oppose.
Britain's Information Commissioner's Office reprimanded the company in September 2021 without levying a fine. Reprimands typically detail the ways in which the privacy watchdog thinks an organization has violated the U.K.'s General Data Protection Regulation and make recommendations for addressing these shortcomings.
"Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers and to minimize the risk of cyberattacks," Tony Boor, chief financial officer at Blackbaud, told Information Security Media Group. The company is "pleased" to have resolved the matter with the SEC, he said.
As part of its settlement agreements, Blackbaud agreed to cease and desist from committing multiple violations of the securities laws that the SEC enforces, including the need to maintain disclosure controls and proceedings. Future violations could result in civil penalties.
Timeline of Breach Disclosures
A breach timeline published by the SEC details the delay between some parts of the organization learning what happened and this information ending up in the hands of senior management.
- May 14, 2020: Blackbaud discovers an attack affecting one-quarter of its customers - more than 13,000 in all - that appears to have begun in February 2020. Signs point to hackers stealing over 1 million files that includes data on donors and alumni collected by customers that include educational institutions and charities.
- July 16, 2020: Blackbaud issues its first public data breach notification, which states attackers accessed no bank account information or Social Security numbers.
- Late July 2020: The company's IT and customer support teams find that attackers did access donors' bank account information and Social Security numbers, which were being stored in unencrypted format.
- Aug. 4, 2020: Blackbaud files a Form 10-Q quarterly report "that discussed the incident, but omitted this material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical," which created a "false impression" of the truth, the SEC says.
- September 29, 2020: In a Form 8-K filing, Blackbaud publicly states for the first time that the attack resulted in the theft of "unencrypted donor bank account information and Social Security numbers" for some individuals.
Blackbaud received a ransom demand from its attacker, which the company paid in return for a promise that all stolen data would be deleted. The company explained this strategy in part by saying that "protecting our customers' data is our top priority" (see: Blackbaud's Bizarre Ransomware Attack Notification).
Ransomware-response experts have long urged victims to never pay for a guarantee that stolen data will be deleted, saying there are no known cases of attackers ever honoring such promises (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).