In The Mater Of Blackbaud, Inc. SEC File No.

3-21339 (March 9, 2023)

Facts

D is a Delaware corporation headquartered in Charleston, South Carolina, that provides donor relationship management software to various non-profit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. D’s common stock trades on the NASDAQ. On May 14, 2020, D detected unauthorized access to the company’s systems and determined the access may have begun as early as February 2020. D’s cybersecurity personnel consulted with a third-party vendor to engage in communications with the attacker, and ultimately coordinate payment of a ransom in exchange for the attacker’s promise to delete the exfiltrated data. At first, D thought that the attacker exfiltrated at least a million files. The company’s technology personnel analyzed the exfiltrated file names to identify which products and customers were impacted. D did not analyze the content of any of the exfiltrated files, and D did not direct any of its third party vendors to do so. Based on the file name review, D identified over 13,000 impacted customers and multiple impacted products, including various versions of the company’s donor relationship software. On July 16, 2020, D announced the incident for the first time on its website. The company also sent notices about the incident to the impacted customers. D stated, “The cybercriminal did not access . . . bank account information, or social security numbers.” By the end of July 2020, D learned that the attacker had, in fact, accessed donor bank account information and social security numbers in an unencrypted form for a number of the impacted customers. D received over a thousand communications from customers regarding the incident. A number of customers raised concerns that they had uploaded sensitive donor data-including social security numbers and bank account information-to fields that were not otherwise encrypted, or that they had included such information in attachments that were uploaded to D’s products and not encrypted. By July 21, 2020, five days after the website post and notices, D had developed a script for customer service personnel that acknowledged that certain attachments and fields potentially used to store social security numbers and bank account information were, in fact, not encrypted. D confirmed that certain donor bank account information and social security numbers had been accessed and exfiltrated by the attacker in an unencrypted format, contrary to the claims in the company’s July 16, 2020 website post and notices. The personnel with this information about the broader scope of the impacted data did not communicate this to D’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so. On August 4, 2020, D filed its Form 10-Q for the second fiscal quarter of 2020. D had met with analysts and held its quarterly earnings call, during which analysts asked several questions about the cybersecurity incident, including concerning the nature of the data impacted, which D did not answer. In D’s Form 10-Q filed D included a discussion about the scope of the incident, stating only that “the cybercriminal removed a copy of a subset of data.” D made no reference to the attacker removing any sensitive donor data and in particular, made no mention of the exfiltration of donor social security numbers and bank account numbers. D omitted the material fact that a number of customers had unencrypted bank account and social security numbers exfiltrated, in contrast to the company’s unequivocal, and ultimately erroneous claims in the July 16, 2020 website post and customer notices. The August 4, 2020 statements perpetuated the false impression, started with D’s earlier website post and customer notices, that the incident did not result in the attacker accessing highly sensitive donor data-data at the core of the company’s business as a service provider helping institutions manage donor relationships-when in fact D’s personnel learned before August 4, 2020, that such data had been accessed and exfiltrated by the attacker. On September 29, 2020, D filed a Form 8-K concerning the incident. D acknowledged for the first time that “the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords.” D sent supplemental notices to customers that D believed had such sensitive donor information accessed and exfiltrated.