WASHINGTON (Reuters) – Software company Blackbaud Inc has agreed to pay $3 million to settle charges it made misleading disclosures about a 2020 ransomware attack that impacted over 13,000 customers, the U.S. Securities and Exchange Commission said on Thursday.
In July 2020, the South Carolina-based provider of donor data management software disclosed a ransomware attacker and said the attacker had not accessed bank account information or Social Security numbers of donors, the SEC said.
“Within days” of those disclosures, some company employees learned the attacker had accessed and taken that information, the SEC said. The employees did not tell senior managers responsible for public disclosure because the firm failed to maintain disclosure controls and procedures, the SEC said.
In August 2020, the SEC said, Blackbaud filed a quarterly report with the agency that omitted material information about the scope of the attack.
An attorney for Blackbaud, which did not admit or deny the SEC’s findings, did not respond immediately to a request for comment.
(Reporting by Kanishka Singh in Washington and Chris Prentice in New York; Editing by Chris Reese and Leslie Adler)