SEC orders Blackbaud to pay $3M for misleading ransomware disclosures


A South Carolina-based software company agreed to pay $3 million to the Securities and Exchange Commission (SEC) to settle claims it violated securities law by failing to disclose the true scope of a ransomware attack that affected 13,000 users.

Blackbaud disclosed details about a breach of customer personal information in July 2020 on its website and through direct contact with customers but claimed no bank account information or Social Security numbers had been exposed.

In August, the company made a similar disclosure to the SEC in a quarterly report. The company omitted material information about the attack, the SEC said in its order, namely that the hacker did in fact obtain the bank account information and Social Security numbers of some Blackbaud customers.

lock iconTHIS IS MEMBERS-ONLY CONTENT. To continue reading, choose one of the options below.