The ransomware attack affected more than 13,000 of the nonprofit software company’s customers. The SEC characterized that number as a quarter of Blackbaud’s customers and Blackbaud said records of about 6 million individuals were involved. The SEC noted that on July 16, 2020 announced “the ransomware attacker did not access donor bank account information or Social Security numbers.” However, within days of that, Blackbaud determined in fact that that had been accessed. But the company’s technology and customer relations personnel did not communicate this information to senior management “because the company failed to maintain disclosure controls and procedures,” according to the SEC. Blackbaud received more than 1,000 customer inquiries about the attack with some concerned they had uploaded sensitive data to fields that were not encrypted. A few days later, company service personnel used a Blackbaud script that acknowledged the fields were unencrypted. Last year, Blackbaud said the intrusion would cost it $25 million to $35 million.