Cloud CRM provider Blackbaud to pay $3M fine for covering up investor data breach

Securities and Exchange Commission (SEC) obligated cloud CRM provider Blackbaud to pay a $3 million fine for allegedly misleading its investors about ransomware attacks in 2020 which affected more than 13,000 of the company’s customers.

On July 16, 2020, Blackbaud announced that the ransomware attack did not affect investor bank account information or Social Security Numbers (SSNs). It actually turned out to be a lie.

“The investigation showed that cybercriminals could gain access to some unencrypted fields intended for bank account information, Social Security Numbers (SSN), usernames and passwords. In most cases, the fields intended for confidential information were encrypted and inaccessible, ”said company representatives.

These words are the exact opposite of previous statements made 2 months after the hack:

“Cybercriminals have not gained access to credit card information, bank accounts or social security numbers. Since the protection of our customers’ data is our top priority, we paid a ransom to the cybercriminals, confirming that the deleted copy of the data was destroyed, ”Blackbaud said after the hack.

It all started with the fact that the IT specialists of the company did not inform the top management about the attack. Blackbaud also did not disclose information about the attack in its quarterly report to the SEC, despite the fact that its staff knew that the company’s public statements about the attack were erroneous.

David Hirsch, head of the SEC Enforcement Division’s Crypto Assets and Cyber ​​Division, reminded public companies that they have an obligation to provide their investors with accurate and timely material information. Hirsch also noted that if a company provides the SEC with false information, its investors can file a class action lawsuit.