Data management company to pay $3 million in settlement with feds over 2020 ransomware disclosures

Blackbaud Inc., which sells donor data management software to nonprofits, agreed Thursday to pay the Securities and Exchange Commission $3 million in a settlement regarding disclosures of a 2020 ransomware attack.

The SEC charged that Blackbaud violated federal law in making misleading disclosures that failed to mention the full extent of customer information seized in the cyberattack. Part of that failure stemmed from company personnel neglecting to inform upper management that sensitive data had been taken.

On May 14, 2020, Blackbaud discovered that someone had been accessing their internal systems without authorization since as early as February 2020, and found messages from the perpetrator saying that customer data had been taken from the system. 

The attacker demanded ransom in exchange for deleting the stolen data. A third-party vendor was hired to investigate, and to arrange communications with the attacker to eventually arrange payment of the ransom.

By July 16, 2020,