Why did the feds fine company caught in the middle of cyber attack $3 million?

A cyber attack that puts customers’ personal and financial data at risk is bad enough to deal with. The last thing a company facing this situation wants to do is make a bad situation even worse.

Like jumping the gun and putting out a news release that sugarcoats the actual damage done by a hack.

The U.S. Securities and Exchange Commission (SEC) made that point clear enough by fining Blackbaud, a South Carolina-based data management software provider, $3 million for “making misleading disclosures about a 2020 ransomware attack that impacted more than 13,000 customers.”

Blackbaud announced on July 16, 2020 that a ransomware attacker didn’t gain access to customers’ Social Security numbers (SSNs) or bank account information. But over the next few days, IT and customer service personnel discovered that the attacker was able to access customers’ SSNs and bank accounts. “These employees didn’t communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures,” according to the SEC. 

The SEC found that Blackbaud violated “sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and section 13(a) of the Securities Exchange Act of 1934 and rules 12b-20, 13a-13, and 13a-15(a) thereunder” by “misleading the public” and its shareholders and customers.

Treat press releases like you would financial disclosures

Either one of two scenarios occurred here:

• Blackbaud honestly believed customers’ SSNs and banking data wasn’t breached and wanted to share those positive details quickly, or
• its IT team couldn’t provide a complete picture of the damage done by July 16 but Blackbaud wanted to get ahead of the bad publicity coming its way.

Which is it? Bottom line is, it doesn’t really matter what Blackbaud’s intentions were here.

Announcing that customers’ SSNs and banking info was untouched – when in reality the ransomware attacker got ahold of reams of sensitive data – couldn’t be excused with a simple apology.

Best bet: Treat company news releases and announcements like you would financial disclosures. Stick to the known facts only.

Regulators won’t hesitate to bring down the hammer on companies that don’t heed that warning, as Blackbaud found out.