Blackbaud has agreed to pay the Securities and Exchange Commission $3 million to settle allegations that it made misleading disclosures about its massive 2020 ransomware attack, which impacted over 13,000 customers.
The donor data management software company’s incident was the largest healthcare data breach reported in 2020, with the data of more than two dozen provider organizations and well over 10 million patients impacted by the incident.
The hack went undetected for over three months, which allowed the threat actors to steal troves of data tied to donors, prospective donors, patients, community members with ties to the impacted entity, and other individuals with ties to affected entities.
However, the SEC found Blackbaud “misleadingly characterized the risk of an attacker obtaining… sensitive donor information as hypothetical.”
Blackbaud failed to fully disclose ransomware impact
Blackbaud first announced the ransomware attack and data exfiltration incident on July 16, 2020, but asserted that the attackers didn’t access donors’ bank account details or Social Security numbers during the hack. Instead, company officials said the compromised data was limited to names, contact information, some health details, and similarly related personal data.
But a September 2020 company filing with the SEC painted a different picture: the attackers had access to more unencrypted data than Blackbaud initially disclosed. The subsequent disclosure showed SSNs, bank account details, usernames, and/or passwords were also exposed.
The discrepancies found in the SEC filing prompted an investigation that found within days of the initial breach disclosures, Blackbaud’s tech and customer relations staff discovered the attackers “had in fact accessed and exfiltrated this sensitive information,” but failed to share the information with “senior management responsible for its public disclosure.”
The tech team “found messages from the attacker in the company’s system claiming to have exfiltrated data concerning Blackbaud’s customers, on May 14, 2020. The attackers subsequently demanded payment and launched an investigation, which ultimately led to a coordinated ransom payment in exchange for the deletion of exfiltrated data.
Further, “Blackbaud understood from the information available to it that the attacker exfiltrated at least a million files,” July 16, 2020. But the SEC found that while the tech team analyzed the stolen data to identify the affected products and customers, it didn’t “analyze the content.”
It wasn’t until thousands of complaints were sent to Blackbaud that the company conducted further analysis, which could explain the wave of disclosures from the impacted entities throughout the year.
The SEC determined the communication failures were directly caused by Blackbaud’s lack of “disclosure controls and procedures.” As a result, Blackbaud’s quarterly report filed with the SEC omitted material information about the scope of the attack.
Not only that, the SEC filing included hypothetical language like “could adversely impact,” which omits “the material fact that such customer or donor personal data was exfiltrated by the attacker” and “entailed that the risks of such an attack on the company’s business were no longer hypothetical.”
“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, said in the release.
“Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so,” he added.
The SEC order shows Blackbaud violated several sections and rules of the Securities Exchange Act of 1934. The settlement does not mean Blackbaud has admitted to or denied the findings. However, the company has agreed to “cease and desist” from future violations of these provisions.
The settlement should serve as a warning to entities across all sectors of the importance of transparency in the face of an incident. As seen with the fallout from the GoDaddy hack, breach notices should include relevant specifics so consumers can take necessary actions to defend against fraud.
Regulators like the SEC and FTC are ramping up enforcement actions against egregious violations, scrutinizing company policies to protect consumer data.
