The SEC has announced that Blackbaud, a software provider catering to non-profit organizations, will be paying out a $3 million settlement for its inadequate disclosure about a ransomware attack in 2020 that affected more than 13,000 customers. Further investigation revealed that the firm had not accurately conveyed the extent of the incident even after it became aware of the inaccuracy of its original public announcements.
This attack was the largest healthcare data breach reported in 2020, affecting over 10 million patients and more than two dozen provider organizations. The attackers went undetected for over three months and were able to access sensitive information related to donors, prospective donors, patients, and other individuals tied to affected entities.
Blackbaud claimed in their initial statement on July 16, 2020, that the hackers were not able to gain access to donors’ financial account numbers or Social Security Numbers. The company maintained that the breached information was only limited to names, contact info, health details, and similar personal data. In September 2020, it was disclosed in a filing with the United States Securities and Exchange Commission (SEC) that the attackers had unauthorized access to previously unrevealed sensitive personal information, including Social Security numbers, bank account information, usernames, and passwords, which were not encrypted.
The SEC investigation concluded that Blackbaud’s technical and customer relations staff were aware that the attackers had obtained and taken away confidential information, however this data was not revealed to those in senior management who needed to declare it to the public, due to the company’s inadequate disclosure regulation practices. This prompted the SEC to declare that Blackbaud had broken several clauses and regulations of the Securities Exchange Act of 1934 by omitting relevant information in regards to the scale of the attack.
Furthermore, the SEC order highlighted that it received thousands of complaints directed to Blackbaud before the content of the stolen data was reviewed. The SEC determined that Blackbaud had not provided essential details about the attack in the quarterly report submitted to the SEC, as the company had overlooked disclosure controls and procedures and the total impact of the data breach.
David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, stated, “As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous. Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Blackbaud has neither confirmed nor denied the SEC’s conclusions. However, it has promised to stop any similar violations from occurring in the future. This settlement sends a clear message to corporations of all kinds concerning the importance of transparency when handling security incidents. Regulatory bodies such as the SEC and FTC are cracking down on severe violations and evaluating company practices to protect user data. Companies should provide consumers with enough information when they release breach notices so they can take whatever steps are needed to guard against fraud.