Blackbaud to Pay $3M SEC Settlement for Misleading Disclosures After a 2020 Donor Data Breach
The Securities and Exchange Commission (SEC) settled claims against software company Blackbaud for misleading disclosures regarding a 2020 ransomware attack that impacted more than 1 million donors from 13,000 nonprofits. Blackbaud agreed to pay $3 million to settle charges earlier this month, but will not admit or deny wrongdoing as a part of the settlement.
The SEC's cease-and-desist order (opens as a pdf) found that Blackbaud violated sections and/or rules of the Securities Act of 1933 and Securities Exchange Act of 1934 by misleading customers about the severity of the breach. The hacker did not successfully lock Blackbaud out of its systems, but it was later determined that the hacker stole donor data and demanded payment, which was attached to a promise to delete the stolen data.
Blackbaud also agreed to cease and desist from committing violations of the provisions again and to pay the $3 million civil penalty.
“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit, said in a statement. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
Blackbaud did not respond to specific questions regarding the breach, but did provide NonProfit PRO with this statement:
“Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies. Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimize the risk of cyberattacks in an ever-changing threat landscape,” Tony Boor, chief financial officer at Blackbaud.
Blackbaud Data Breach Incident History
Unauthorized access to Blackbaud’s systems may have begun as early as February 2020, but Blackbaud staff did not detect the suspicious activity until May 14, 2020, according to the SEC’s order. At that time, Blackbaud staff discovered messages in the company’s system that indicated customer data removal and a payment demand. Through third-party vendors, Blackbaud coordinated a ransom payment of an undisclosed amount in exchange for the deletion of the stolen data.
By July 16, 2020, Blackbaud determined at least 1 million files were stolen from more than 13,000 nonprofit customers, which was roughly a quarter of its customer base at that time and spanned across multiple product lines, according to the SEC’s order.
Blackbaud alerted affected customers on July 16, 2020, via a website notice and emails to affected customers; however, erroneously claimed bank account information and social security numbers were not accessed, according to the SEC’s order. Blackbaud or its third-party vendors had not yet evaluated the stolen data.
As a result of the communications, more than 1,000 customers contacted Blackbaud, with some informing the software provider that they inputted or uploaded unencrypted sensitive donor data within Blackbaud products. Five days after the initial public disclosure, customer service personnel acknowledged select fields and attachments potentially stored sensitive information and were not encrypted.
As a result of customer inquiries, Blackbaud staff further assessed the stolen data and discovered that unencrypted sensitive information, including donor bank account numbers and social security numbers, had been stolen, according to the SEC’s order. Due to a lack of disclosure controls and procedures, this information was not relayed to senior management. Therefore, the company did not disclose that information and, in some cases, continued to provide misleading information, including during analyst meetings, a quarterly earnings call with analysts on July 29 and 30, 2020, and a quarterly report filed with the SEC on Aug. 4, 2020.
Instead, Blackbaud claimed it had “discovered and stopped” the May 2020 ransomware attack by preventing the intruder from locking Blackbaud out of its servers, Boor said in the SEC report for the quarter ending June 30, 2020. The cybercriminal, he noted, removed a copy of a subset of data from its private cloud.
“Based on the nature of the incident, our research and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” Boor said in the filing. “Most of our customers were not part of the incident. The subset of customers who were part of this incident have been notified and supplied with additional information and resources.”
Boor then corrected the company’s prior statements in an SEC filing dated Sept. 29, 2020, acknowledging some of the affected customers may have had donor information stolen and would be alerted that week.
“After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” Boor said in the filing. “In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the Security Incident.”
Blackbaud’s Cybersecurity Improvements Since the Breach
Blackbaud did not provide specifics in regards to how it has strengthened cybersecurity and protected donor data to prevent a future breach as NonProfit PRO requested, but the software vendor gave some insights in its SEC filings.
In its 2020 SEC annual report, Blackbaud noted a $5.1 million increase in corporate costs, mainly as a result of “investments in corporate IT, including cyber security and increases in related headcount.” However, there was a $7 million increase for the same reasons in 2019, so it’s unclear if those were upgrades or annual costs.
In 2021, Blackbaud noted a $12.3 million decrease in income from operations, partially due to a $10.3 million increase in third-party contractor and hosting costs as Blackbaud continues its cloud infrastructure migration “to leading public cloud service providers and invest in security,” according to its 2021 SEC annual report.
In the 2022 SEC annual report, Blackbaud noted it continues to invest heavily in security for its solutions. While not solely directed toward security, in 2022, research and development costs increased $32.3 million (26%) due to a variety of reasons including hiring more engineers and increasing its use of third-party contractors, including software developers. Meanwhile, general and administrative costs increased $53.6 million (37%) due to costs related to the 2020 breach, increased cybersecurity hiring and a $6.4 million expense the company attributed primarily to “investments in security tools.”
In July 2022, Blackbaud appointed Deneed DeFiore, vice president and global chief information security officer for United Airlines, to its board of directors. Fiore specializes in technology and cybersecurity, overseeing United’s cybersecurity strategy. She previously built cybersecurity capabilities at General Electric for 19 years.
Almost three years after the breach, Blackbaud has not uncovered any evidence that the stolen data was used nefariously.
“Based on the nature of the Security Incident, our research and third party (including law enforcement) investigation, we do not believe that any data went beyond the cybercriminal, has been misused, or has been disseminated or otherwise made available publicly,” the company said in its 2022 SEC annual report that was filed last month.
Blackbaud’s Ongoing Legal Costs Due to the Data Breach
Despite the breach, Blackbaud’s revenue remained strong. Its year over year growth for both 2019-2020 and 2020-2021 remained steady at about 1.5%, according to SEC filings. For 2022, a year in which Blackbaud acquired EVERFI and Kilter, the software provider announced its revenue surpassed $1 billion for the first time ever, a 14.1% growth over 2021.
However, security incident-related costs exceeded Blackbaud’s $50 million insurance coverage in the first quarter of 2022, according to its 2022 SEC annual report. Total security incident-related costs for 2022 totaled $57.6 million — up from $40.5 million and $9.8 million, respectively for 2021 and 2020 before insurance reimbursements.
Blackbaud’s cybersecurity program enhancements are not included in that figure, according to its annual report. Expenses in its security incident-related cost category are primarily third-party service provider and consultant payments, which include legal fees. Blackbaud currently expects 2023 net cash outlays of $25 million to $35 million for ongoing legal fees related to the security incident. Ongoing legal costs, per SEC filings, fall into three categories:
- Customer claims. Blackbaud noted there are about 260 customer reimbursement requests to date. About 200 of those have been resolved. An additional 400 U.S., Canadian and U.K. customers — or their attorneys — have reserved the right to recover expenses in the future. U.K. donors, as well as various insurance companies, have filed claims as well.
- Customer constituent class actions. Blackbaud is a defendant in 19 class-action cases as of the end of last year, the company disclosed. The 17 U.S. federal cases have been consolidated into one. The remaining two are in Canadian courts.
- Government investigations. Aside from the SEC, the U.S. Federal Trade Commission, and U.S. Department of Health and Human Services, as well as Australian and Canadian government agencies, are investigating Blackbaud. Additionally, Blackbaud has received one consolidated civil investigative demand on behalf of 49 state attorneys general and Washington, D.C., and a separate one from California’s attorney general.
As of the end of 2022, Blackbaud has been liable for about $23 million from government agencies, according to its 2022 SEC annual report.
“We continue to cooperate with all ongoing investigations, which include various requests for documents, policies, narratives and communications, as well as requests to interview or depose various Company-related personnel,” according to its 2022 SEC annual report. “... Each of these separate governmental investigations could result in adverse judgements, settlements, fines, penalties or other resolution, the amount, scope and timing of which we are currently unable to predict, but could have a material adverse impact on our results of operations, cash flows or financial condition.”
