Software firm Blackbaud has agreed to pay a $3 million penalty for failing to disclose the full scope of the ransomware attack it suffered in 2020, according to the US Securities and Exchange Commission (SEC).South Carolina headquartered Blackbaud provides donor relationship management software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations.The company detected unauthorized access to its systems on May 14, 2020, which impacted 13,000 customers. On July 16, 2020, Blackbaud announced that the ransomware attacker did not access donor bank account information or social security numbers.However, in its order last week, SEC found that Blackbaud personnel were aware that the attacker also accessed bank account information and social security numbers but that the company failed to inform the same to authorities and customers.Without admitting or denying the SEC findings, Blackbaud agreed to cease and desist from committing violations of these provisions and to pay a $3 million civil penalty, the SEC said in a press statement.\u201cAs the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,\u201d David Hirsch, chief of the SEC enforcement division\u2019s crypto assets and cyber unit, said in a statement.\u00a0\u201cPublic companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.\u201dRansomware attack began in February 2020Blackbaud detected the ransomware attack in May 2020, but the attack had begun in February of the same year. The company personnel found messages from the attacker in the company\u2019s system claiming to have exfiltrated data relating to Blackbaud\u2019s customers, and subsequently demanding payment.Blackbaud along with a third-party cybersecurity firm investigated the incident. The company also engaged in communications with the attacker to coordinate the payment of a ransom in exchange for the attacker\u2019s promise to delete the exfiltrated data.By July 16, 2020, the company analyzed the exfiltrated file names to identify which products and customers were impacted. However, the company did not analyze the content of any of the exfiltrated files, the SEC order said.Blackbaud found that the attacker had exfiltrated at least a million files and based on the file name review, the company identified over 13,000 impacted customers and multiple impacted products, including various versions of the company\u2019s donor relationship software.The company announced the incident for the first time on its website on July 16, 2020, and sent notices to impacted customers claiming the cybercriminals did not access bank account information or social security numbers. However, by the end of the same month, company personnel learned that the attacker had, in fact, accessed donor bank account information and social security numbers in an unencrypted form for a number of the impacted customers, the SEC order said.\u00a0\u201cAlthough the company\u2019s personnel were aware of the unauthorized access and exfiltration of donor bank account numbers and social security numbers by the end of July 2020, the personnel with this information about the broader scope of the impacted data did not communicate this to Blackbaud\u2019s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so,\u201d the SEC order said.\u00a0Blackbaud's series of nondisclosuresBlackbaud has been accused of a series of nondisclosures by the SEC. In a regulatory filing in August 2020, Blackbaud said, \u201cthe cybercriminal removed a copy of a subset of data.\u201dIn the same regulatory filing, the company made no reference to the attacker removing any sensitive donor data, and made no mention of the exfiltration of donor social security numbers and bank account numbers, the SEC order said.\u00a0\u201cThis statement omitted the material fact that a number of customers had unencrypted bank account and social security numbers exfiltrated, in contrast to the company\u2019s unequivocal, and ultimately erroneous claims in the July 16, 2020, website post and customer notices,\u201d the SEC order noted.\u00a0\u201cA compromise of our data security that results in customer or donor personal or payment card data being obtained by unauthorized persons could adversely affect our reputation with our customers and others, as well as our operations, results of operations, financial condition and liquidity and could result in litigation against us or the imposition of penalties,\u201d Blackbaud said in a section of the August 2020 filing that talked about cybersecurity risks.This statement also omitted the material fact that such data was in fact exfiltrated by the attacker, which entailed that the risks of such an attack on the company\u2019s business were no longer hypothetical.It was only on September 29, 2020 that Blackbaud furnished another statement to the regulator concerning the incident and acknowledged for the first time that \u201cthe cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames, and\/or passwords.\u201d\u00a0The company also sent notices to customers that Blackbaud believed had such sensitive donor information accessed and exfiltrated.\u00a0The SEC investigation also found that the company did not have controls or procedures designed to ensure that information relevant to cybersecurity incidents and risks were communicated to the company\u2019s senior management and other disclosure personnel.