SEC.gov | SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors


Skip to main content
SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors
FOR IMMEDIATE RELEASE
2023-48

Washington D.C., March 9, 2023 —
The Securities and Exchange Commission today announced that Blackbaud Inc., a South Carolina-based public company that provides donor data management software to non-profit organizations, agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.

The SEC’s order finds that, on July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information. These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures. Due to this failure, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

The SEC's order finds that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.

The SEC’s investigation was conducted by Brent Wilner and supervised by Diana Tani, Carolyn Welshhans, and Mr. Hirsch. The SEC appreciates the assistance of the Federal Trade Commission and the Offices of the Attorneys General for the States of Indiana and Vermont.

















Search SEC.gov




Company Filings



















U.S. Securities and Exchange Commission




q























About


Careers


Commissioners


Contact


Reports and Publications


Securities Laws


What We Do





Divisions & Offices


Corporation Finance


Enforcement


Investment Management


Economic and Risk Analysis


Trading and Markets


Office of Administrative Law Judges


Examinations


Regional Offices





Enforcement


Litigation Releases


Administrative Proceedings


Opinions and Adjudicatory Orders


Accounting and Auditing


Trading Suspensions


How Investigations Work


Receiverships


Information for Harmed Investors





Regulation


Rulemaking Index


Proposed Rules


Final Rules


Interim Final Temporary Rules


Other Orders and Notices


Self-Regulatory Organizations


Staff Interpretations





Education


Investor Education


Glossaries


Small Business Capital Raising





Filings


EDGAR – Search & Access


EDGAR – Information for Filers


Company Filing Search


How to Search EDGAR


Forms List


About EDGAR





News


Press Releases


Speeches and Statements


Spotlight Topics


Upcoming Events


Webcasts


SEC in the News


SEC Videos


Media Gallery





















U.S. Securities and Exchange Commission



Divisions & Offices




Enforcement




Regulation




Education




Filings




Newsroom








Newsroom



Press Releases




Testimony








RSS Feeds



Press Releases




Public Statements




Speeches




Testimony














Newsroom Left Nav





Newsroom



Press Releases



Speeches and Statements



SEC Stories



Spotlight Topics



Media Kit



Press Contacts



Events



Webcasts



Media Gallery



RSS Feeds


Press Releases



Speeches and Statements



Litigation Releases



Investor Alerts



More RSS Feeds








Social Media


@SECGov



SEC Channel



View All Social Media




















































Newsroom Left Nav





Newsroom



Press Releases



Speeches and Statements



SEC Stories



Spotlight Topics



Media Kit



Press Contacts



Events



Webcasts



Media Gallery



RSS Feeds


Press Releases



Speeches and Statements



Litigation Releases



Investor Alerts



More RSS Feeds








Social Media


@SECGov



SEC Channel



View All Social Media


















































Press Release











































SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors


FOR IMMEDIATE RELEASE
2023-48




Washington D.C., March 9, 2023 —






The Securities and Exchange Commission today announced that Blackbaud Inc., a South Carolina-based public company that provides donor data management software to non-profit organizations, agreed to pay $3 million to settle charges for making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.



The SEC’s order finds that, on July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers. Within days of these statements, however, the company’s technology and customer relations personnel learned that the attacker had in fact accessed and exfiltrated this sensitive information. These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures. Due to this failure, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and misleadingly characterized the risk of an attacker obtaining such sensitive donor information as hypothetical.



“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”



The SEC's order finds that Blackbaud violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-13, and 13a-15(a) thereunder. Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty.



The SEC’s investigation was conducted by Brent Wilner and supervised by Diana Tani, Carolyn Welshhans, and Mr. Hirsch. The SEC appreciates the assistance of the Federal Trade Commission and the Offices of the Attorneys General for the States of Indiana and Vermont.






###











Related Materials

SEC Order
































STAY CONNECTED
1 Twitter 2 Facebook 3RSS 4YouTube
6LinkedIn 8 Email Updates













About The SEC





Budget & Performance



Careers



Commission Votes



Contact



Contracts



Data Resources












Transparency





Accessibility & Disability



Diversity & Inclusion



FOIA



Inspector General



No FEAR Act & EEO Data



Ombudsman



Whistleblower Protection












Websites





Investor.gov



Related Sites



USA.gov












Site Information





Plain Writing



Privacy & Security



Site Map























Return to Top





































Read the original article 9 Mar 2023