What happens if you 'cover up' a ransomware infection? For Blackbaud, a $3m charge

Blackbaud has agreed to salary $3 cardinal to settee charges that it made misleading disclosures astir a 2020 ransomware infection successful which crooks stole much than a cardinal files connected astir 13,000 of nan unreality package slinger's customers.

According to America's financial watchdog, nan SEC, Blackbaud will cough up nan rate - without admitting aliases denying nan regulator's findings - and will cease and desist from committing immoderate further violations.

"Blackbaud is pleased to resoluteness this matter pinch nan SEC and appreciates nan collaboration and constructive feedback from nan Commission arsenic nan institution continually improves its reporting and disclosure policies," Tony Boor, nan outfit's main financial officer, said told The Register. 

"Blackbaud continues to fortify its cybersecurity programme to protect customers and consumers, and to minimize nan consequence of cyberattacks successful an ever-changing threat landscape," Boor added.

For perspective: nan South Carolina-based patient – which provides, among different things, philanthropist guidance devices to nonprofits – banked $1.1 cardinal successful revenue successful 2022, resulting successful a $45.4 cardinal loss. This colony is nan slightest of nan biz's concerns, we imagine.

Slap connected nan wrist

Here's what happened: backmost successful May 2020, Blackbaud knowledgeable a ransomware infection, softly paid disconnected nan crooks, and didn't show customers astir nan information breach until July 2020. And erstwhile nan package institution did notify customers, it assured them that nan "cybercriminal did not access…bank relationship information, aliases societal information numbers," according to nan SEC bid [PDF].

By nan extremity of that month, however, nan SEC claims that Blackbaud unit discovered that nan miscreants had accessed unencrypted philanthropist slope relationship accusation and societal information numbers. But nan labor allegedly didn't show elder guidance astir nan theft of delicate customer information because Blackbaud "did not person policies aliases procedures successful spot designed to guarantee they do so," nan tribunal documents say. Make of that what you will.

• Blackbaud – patient that paid disconnected crooks aft 2020 ransomware onslaught – fails to get California privateness rule declare dropped
• Cloud biz Blackbaud caved to ransomware gang's demands – past neglected to pass customers for 2 months
• 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he intends 'got security to salary disconnected crooks'
• Brit unis deed successful Blackbaud hack pass students that their information was nicked, which has gone arsenic good arsenic you mightiness expect

This, successful turn, resulted successful nan institution filing a quarterly SEC study that omitted this worldly accusation astir nan scope of nan cyberattack, and according to nan agency, "misleadingly characterized nan consequence of an attacker obtaining specified delicate philanthropist accusation arsenic hypothetical."

A period later, institution execs revenge an amended Form 8-K [PDF] astir nan ransomware infection, and admitted for nan first clip that criminals "may person accessed immoderate unencrypted" customer banking information. Oops.

""As nan bid finds, Blackbaud grounded to disclose nan afloat effect of a ransomware onslaught contempt its unit learning that its earlier nationalist statements astir nan onslaught were erroneous," David Hirsch, main of nan SEC Enforcement Division's Crypto Assets and Cyber Unit said successful a statement. "Public companies person an responsibility to supply their investors pinch meticulous and timely worldly information; Blackbaud grounded to do so."

The ransomware infection — and deficiency of transparency astir nan information snafu — besides sparked respective class action lawsuits against  Blackbaud. This mightiness beryllium a very costly error. ®