Blackbaud, a software company, has agreed to pay $3 million to settle charges it made misleading disclosures about a ransomware attack in 2020 that impacted over 13,000 customers, the U.S. Securities and Exchange Commission said.
In July 2020, the South Carolina-based provider of donor data management software disclosed a ransomware attacker and said the attacker had not accessed bank account information or Social Security numbers of donors, the SEC said.
“Within days of those disclosures, some company employees learned the attacker had accessed and taken that information, but the employees did not tell senior managers responsible for public disclosure because the firm failed to maintain disclosure controls and procedures, the SEC said.
In August 2020, the SEC said, Blackbaud filed a quarterly report with the agency that omitted material information about the scope of the attack.
The SEC is set to unveil a new effort next week to control how broker-dealers and others tackle the risk of hacking and respond to theft of customer data, continuing a regulatory drive on cybersecurity in the financial sector.