A South Carolina-based software company agreed to pay $3 million to the Securities and Exchange Commission (SEC) to settle claims it violated securities law by failing to disclose the true scope of a ransomware attack that affected 13,000 users.

Blackbaud disclosed details about a breach of customer personal information in July 2020 on its website and through direct contact with customers but claimed no bank account information or Social Security numbers had been exposed.

In August, the company made a similar disclosure to the SEC in a quarterly report. The company omitted material information about the attack, the SEC said in its order, namely that the hacker did in fact obtain the bank account information and Social Security numbers of some Blackbaud customers.

In September, the company issued an updated disclosure acknowledging the breached financial information on its website and to the SEC and notified affected customers.

The details: Blackbaud discovered in May 2020 sensitive customer information had been accessed by an unauthorized party. The hacker, who might have infiltrated the company’s information system as far back as February 2020, demanded payment.

The company and a third-party cybersecurity vendor investigated the breach, finding more than a million files had been compromised. The company ultimately agreed to pay a ransom in exchange for a promise from the hacker to delete the stolen files.

During the investigation, neither the company nor the vendor analyzed the content of the stolen files before the July 2020 disclosure, the SEC stated. More than 1,000 customers contacted Blackbaud about the hack, concerned their personal information had been compromised. Further investigation by Blackbaud found some customers entered their bank account information and Social Security numbers into fields that were not encrypted, meaning the hacker had obtained them.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC’s Crypto Assets and Cyber Unit, in a press release.

Compliance ramifications: While the company’s IT team discovered some customer personal information had been compromised, that information was not shared with senior management before the August filing with the SEC, according to the agency.

The company lacked “controls or procedures designed to ensure that information relevant to cybersecurity incidents and risks were communicated to the company’s senior management and other disclosure personnel,” the SEC said. “As a result, relevant information related to the incident was never assessed from a disclosure perspective.”

Company response: Blackbaud neither admitted nor denied the SEC’s findings.

“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the commission as the company continually improves its reporting and disclosure policies,” said Tony Boor, the company’s chief financial officer, in an emailed statement. “Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers and to minimize the risk of cyberattacks in an ever-changing threat landscape.”