Blackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger’s customers.
According to America’s financial watchdog, the SEC, Blackbaud will cough up the cash – without admitting or denying the regulator’s findings – and will cease and desist from committing any further violations.
“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies,” Tony Boor, the outfit’s chief financial officer, said told The Register.
“Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape,” Boor added.
For perspective: the South Carolina-based firm – which provides, among other things, donor management tools to nonprofits – banked $1.1 billion in revenue in 2022, resulting in a $45.4 million loss. This settlement is the least of the biz’s concerns, we imagine.
Slap on the wrist
Here’s what happened: back in May 2020, Blackbaud experienced a ransomware infection, quietly paid off the crooks, and didn’t tell customers about the security breach until July 2020. And when the software company did notify customers, it assured them that the “cybercriminal did not access…bank account information, or social security numbers,” according to the SEC order [PDF].
By the end of that month, however,