Material SEC Cybersecurity Disclosures
- We include all Item 1.05 filings, which are considered material per the SEC rule (even if not characterized as material by the filer).
- We also include Item 8.01 filings deemed material submitted between the July 26, 2023, ruling and Dec. 18, 2023.
- We do not include non-material Item 7.01 and Item 8.01 filings submitted after Dec. 18, 2023 (see Company pages for non-material filings).
Filing Date Accession Number Company Form CIK Trading Symbol Item 1.05 Item 7.01 Item 8.01 Exhibit No 99_1 Text Exhibit No 99_1 URL Exhibit No 99_2 Text Exhibit No 99_2 URL URL SIC SIC Description Category Name of Exchanges EDGAR Company URL
12/01/2023
0001193125-23-287449
23andMe Holding Co.
8-K/A
1804591
['ME']
On October 10, 2023, 23andMe Holding Co. (the “Company,” “23andMe,” “we,” “us,” and “our”) filed a Current Report on Form 8-K (the “Original Form 8-K”) reporting that it learned that certain user profile information, which a 23andMe user (each, a “user” and collectively, the “users”) creates and chooses to share with their genetic relatives in 23andMe’s DNA Relatives feature, was accessed and downloaded from individual 23andMe.com (the “23andMe website”) user accounts (the “incident”) by a threat actor (the “threat actor”). The Company is filing this Amendment No. 1 to the Original Form 8-K (this “Amendment”) to provide supplemental information regarding the incident. Except as expressly set forth herein, this Amendment does not amend the Original Form 8-K in any way and does not modify or update any other disclosures contained in the Original Form 8-K. This Amendment supplements the Original Form 8-K and should be read in conjunction with the Original Form 8-K. On October 1, 2023, a threat actor posted online a claim to have 23andMe users’ profile information. Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity. Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained. 23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward. As of the filing date of this Amendment, the Company expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023, primarily consisting of technology consulting services, legal fees, and expenses of other third-party advisors. The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results. As of the filing date of this Amendment, the Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024. As of the filing date of this Amendment and as a result of the incident, multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome. The Company is also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies. The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time. While the Company believes the investigation into these matters is complete, the Company may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. All information provided in this Amendment is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law.
Forward-Looking Statements This Amendment contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational, and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise, or corruption of data, loss of business, reputational damage adversely affecting user relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. This Amendment includes several website addresses. These website addresses are intended to provide inactive, textual references only. The information on these websites is not part of this Amendment. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto.
https://www.sec.gov/Archives/edgar/data/1804591/000119312523287449/d242666d8ka.htm
2834
Pharmaceutical Preparations
Accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001804591
10/10/2023
0001193125-23-253488
23andMe Holding Co.
8-K
1804591
['ME']
23andMe Holding Co. (“23andMe,” “we,” “us,” and “our”) recently learned that certain profile information, which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature, was accessed from individual 23andMe.com accounts without the account users’ authorization (the “incident”). Based on 23andMe’s investigation as of the date of this Current Report on Form 8-K, we do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks. While our investigation is ongoing, as of the date of this Current Report on Form 8-K, we believe the threat actor was able to access certain accounts in instances usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available. 23andMe undertook immediate action in accordance with its incident response plan, including taking affirmative security measures to mitigate any potential impact of the incident, working to validate whether data that was accessed was legitimate data from the Website, and determining the full scope of data accessed by unauthorized individuals. 23andMe has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact of the incident. 23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations. 23andMe’s investigation into these matters is preliminary and on going, and 23andMe is still discerning the implications of the incident. During the course of the investigation, 23andMe may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. At this time, 23andMe is unable to predict the costs and magnitude of those consequences. Forward-Looking Statements This Current Report on Form 8-K contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise or corruption of data, loss of business, reputational damage adversely affecting customer relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities; and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. All information provided in this Current Report on Form 8-K is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto.
https://www.sec.gov/Archives/edgar/data/1804591/000119312523253488/d520529d8k.htm
2834
Pharmaceutical Preparations
Accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001804591
07/12/2024
0000732717-24-000046
AT&T INC.
8-K
732717
['T', 'TBB', 'TBC', 'T-PA', 'T-PC']
On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below.
The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.
AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers.
On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended. As of the date of this filing, AT&T does not believe that the data is publicly available.
As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.
https://www.sec.gov/ix?doc=/Archives/edgar/data/732717/000073271724000046/t-20240506.htm
4813
Telephone Communications (No Radiotelephone)
Large accelerated filer
['NYSE', 'NYSE', 'NYSE', 'NYSE', 'NYSE']
https://www.sec.gov/edgar/browse/?CIK=0000732717
04/08/2024
0001213900-24-031252
B. Riley Financial, Inc.
8-K
1464790
['RILY', 'RILYG', 'RILYK', 'RILYL', 'RILYM', 'RILYN', 'RILYO', 'RILYP', 'RILYT', 'RILYZ']
On April 5, 2024, Targus International, LLC and certain affiliates (collectively, “Targus”), each of which is an indirect subsidiary of B. Riley Financial, Inc. (the “Company”), discovered that a threat actor gained unauthorized access to certain of Targus’ file systems. Upon discovery and with assistance from external cybersecurity counsel and consultants, Targus immediately activated its incident response and business continuity protocols to investigate, contain and remediate the incident. Through this process, proactive containment measures to disrupt unauthorized access resulted in a temporary interruption in the business operations of the Targus network.
The incident has been contained and Targus systems recovery efforts are in process.
While the investigation is ongoing and the incident has temporarily disrupted Targus’ business operations, as of the date of this filing, the Company does not currently believe that this incident will materially impact the Company’s financial condition or results of operations taken as a whole. Business operations for each of the Company’s other subsidiaries have continued without disruption in all material respects, and no other Company business has been affected. Last year, Targus was not a significant contributor to the Company’s Operating Adjusted EBITDA.
Targus has notified relevant regulatory authorities and will work with law enforcement with respect to the unauthorized access to information.
https://www.sec.gov/ix?doc=/Archives/edgar/data/1464790/000121390024031252/ea0203500-8k_briley.htm
6282
Investment Advice
Large accelerated filer
['Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001464790
07/15/2024
0001437749-24-022743
BASSETT FURNITURE INDUSTRIES INC
8-K
10329
['BSET']
On July 10, 2024, Bassett Furniture Industries, Incorporated (the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company’s business operations by encrypting some data files. As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities. The Company’s retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail, e-commerce and wholesale customers. At this time, the Company does not believe personal information from consumers was compromised. The Company continues to work diligently to respond to and mitigate the impact from the incident.
As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
https://www.sec.gov/ix?doc=/Archives/edgar/data/10329/000143774924022743/bset20240715_8k.htm
2511
Wood Household Furniture, (No Upholstered)
Accelerated filer
Smaller reporting company
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0000010329
06/14/2024
0001280058-24-000048
BLACKBAUD INC
8-K
1280058
['BLKB']
On June 13, 2024, Blackbaud, Inc. (“Blackbaud” or the “Company”) agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the “Final Judgment”) relating to the previously disclosed 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the last remaining U.S. state attorney general investigation into the Security Incident.
Under the terms of the settlement, the Company has agreed to comply with applicable laws; not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters; and to implement and improve certain cybersecurity programs and tools. The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as previously disclosed.
As part of the settlement, the Company also agreed to pay a total of $6.75 million to the State of California. This amount was fully accrued as a contingent liability in the Company’s financial statements as of March 31, 2024.
By agreeing to the Final Judgment, Blackbaud has denied wrongdoing or liability of any kind. Nothing contained in the Final Judgment is intended to be, and shall not in any event be construed or deemed to be, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Blackbaud or any fact or violation of law, rule, or regulation.
The foregoing description is qualified in its entirety by reference to the full text of the Final Judgment attached hereto as Exhibit 99.1 and incorporated by reference herein.
Final Judgment and Permanent Injunction of the State of California, County of San Diego, dated June 13, 2024
https://www.sec.gov/Archives/edgar/data/1280058/000128005824000048/blackbaudjudgmentfinal.htm
https://www.sec.gov/Archives/edgar/data/1280058/000128005824000048/blkb-20240613.htm
7372
Services-Prepackaged Software
Large accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001280058
05/16/2024
0001280058-24-000042
BLACKBAUD INC
8-K
1280058
['BLKB']
As previously disclosed, Blackbaud, Inc. (the “Company”) is a defendant in putative consumer class action cases in U.S. federal courts, which have been consolidated under multi district litigation to a single federal court, the United States District Court for the District of South Carolina Columbia Division (the “Court”) (Case No.:3:20-mn-02972-JFA) alleging harm from a 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). The plaintiffs in this case, who purport to represent various classes of individual constituents of the Company’s customers, generally claim to have been harmed by alleged actions and/or omissions by the Company in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees and other related relief.
On May 14, 2024, the Court issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs’ motion for class certification because of the plaintiffs’ failure to meet their burden of proof as to ascertainability, (2) granting the Company’s motion to exclude the multi district litigation plaintiffs’ expert on the issue of ascertainability, and (3) denying the multi district litigation plaintiffs’ motion to exclude the Company’s expert on the issue of ascertainability. Further, the Court denied as moot all other pending motions. The Court’s determination as to these motions is subject to potential appeal to the Fourth Circuit Court of Appeals (the “Fourth Circuit”), and this litigation remains ongoing without regard to whether any such appeal is sought by the plaintiffs or granted by the Fourth Circuit.
For additional information regarding the Company’s customer constituent class actions or other matters related to the Security Incident, see the Company’s most recently filed Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on May 1, 2024.
The information set forth in this Item 7.01 of this Current Report on Form 8-K shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act, regardless of any general incorporation language in such filing, unless expressly incorporated by reference in such filing.
https://www.sec.gov/Archives/edgar/data/1280058/000128005824000042/blkb-20240514.htm
7372
Services-Prepackaged Software
Large accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001280058
02/02/2024
0001140361-24-005318
BLACKBAUD INC
8-K
1280058
['BLKB']
On February 1, 2024, the U.S. Federal Trade Commission (the “FTC”) announced its approval of a settlement with Blackbaud, Inc. (the “Company”) relating to the previously announced 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). When finalized, this settlement will fully resolve the previously disclosed FTC investigation relating to the Security Incident, which is further described in the FTC’s complaint and proposed order.
Under the terms of the FTC’s proposed order, the Company has agreed to certain conditions, which are reflected in their entirety in the FTC’s proposed order. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment.
The Company has agreed to the FTC’s proposed order without admitting or denying any of the allegations in the FTC’s complaint, except as expressly stated otherwise in the FTC’s proposed order.
The foregoing description is qualified in its entirety by reference to the full text of the form of the FTC’s proposed order attached hereto as Exhibit 99.2 and incorporated by reference herein.
Press release dated February 2, 2024 announcing the FTC’s proposed order.
https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_ex99-1.htm
Form of FTC’s proposed order.
https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_ex99-2.htm
https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_8k.htm
7372
Services-Prepackaged Software
Large accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001280058
10/05/2023
0001280058-23-000040
BLACKBAUD INC
8-K
1280058
['BLKB']
On October 5, 2023, Blackbaud, Inc. (“Blackbaud” or the “Company”) entered into separate, substantially similar Assurances of Voluntary Compliance or Assurances of Discontinuance with each of 49 state Attorneys General and the District of Columbia (collectively, the “Administrative Orders”) relating to the previously announced 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multistate Investigation”), which is further described in the substantially similar Administrative Orders filed today in each of the 49 states and the District of Columbia.
Under the terms of the Administrative Orders, the Company has agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to Blackbaud customers or the individuals whose data is stored by the Company concerning (a) the extent to which Blackbaud protects the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools.
As part of the Administrative Orders, the Company also has agreed to pay a total of $49.5 million to the 49 states and District of Columbia. The Company expects to pay the full settlement amount to each state and the District of Columbia in October 2023 from its existing liquidity. This amount was fully accrued as a contingent liability in the Company’s financial statements as of June 30, 2023.
The Company has entered into the Administrative Orders without admitting fault of liability in connection with the matters subject to the Multistate Investigation.
The foregoing description is qualified in its entirety by reference to the full text of the form of Administrative Order attached hereto as Exhibit 99.2 and incorporated by reference herein.
As previously disclosed, the Office of the Attorney General of the State of California did not participate in the Multistate Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved. Although the Company is hopeful that it can resolve this matter on acceptable terms, there is no assurance that it will be able to do so on terms acceptable to the Company and to the State of California.
Press release dated October 5, 2023, announcing the Administrative Orders
https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkbex991agsettlementpress.htm
SEC Form of Administrative Order
https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkbex992formofadministrat.htm
https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkb-20231005.htm
7372
Services-Prepackaged Software
Large accelerated filer
['Nasdaq']
https://www.sec.gov/edgar/browse/?CIK=0001280058
05/28/2024
0001193125-24-147625
BRANDYWINE OPERATING PARTNERSHIP, L.P.
8-K/A
1060386
[]
As disclosed in the Original Report, on May 1, 2024, the Company detected unauthorized occurrences by a third party on portions of the Company’s information technology (“IT”) systems. Upon detecting the unauthorized occurrences, the Company promptly initiated its previously established response protocols and began taking steps to contain, assess and remediate the cybersecurity incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, shutting down portions of the IT systems and notifying law enforcement.
The detected occurrences consisted of the third party’s unauthorized access to, and deployment of encryption to, a portion of the Company’s internal corporate IT systems and the exfiltration of certain files, including files containing personal information. The cybersecurity incident caused disruptions, and limitation of access, to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems. The Company’s real estate operations have continued throughout the period since the detection of the cybersecurity incident in all material respects.
As a result of the Company’s remediation and other activities, as of the date this Amendment, the Company believes that (i) the third party has been removed from the Company’s IT systems, (ii) the Company’s access to the affected information has been restored and (iii) the procedures performed have confirmed the completeness and integrity of the impacted information.
The Company’s investigation of the cybersecurity incident, including the Company’s assessment of the scope of personal information included in the exfiltrated information, remains ongoing. The Company intends to provide required notifications to affected and potentially affected parties and to regulatory agencies.
As part of its remediation activities, the Company is evaluating additional procedures and software to strengthen its surveillance of cybersecurity threats and to prevent unauthorized occurrences on or conducted through its IT systems and to strengthen its information backup systems. The Company currently expects that a substantial portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries. As of the date of this Amendment, the cybersecurity incident has not had a material impact on the Company’s financial condition or results of operations, and the Company does not believe the cybersecurity incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
https://www.sec.gov/Archives/edgar/data/1060386/000119312524147625/d774339d8ka.htm
6798
Real Estate Investment Trusts
Large Accelerated
Well Known Seasoned Issuer
[]
https://www.sec.gov/edgar/browse/?CIK=0001060386
Filing Date Company Trading Symbol
Filing Date:
Accession Number:
Company:
Form:
CIK:
Trading Symbol:
Item 1.05:
Item 7.01:
Item 8.01:
Exhibit No 99_1 Text:
Exhibit No 99_1 URL:
Exhibit No 99_2 Text:
Exhibit No 99_2 URL:
URL:
SIC:
SIC Description:
Category:
Name of Exchanges:
EDGAR Company URL:
Filing Date | Accession Number | Company | Form | CIK | Trading Symbol | Item 1.05 | Item 7.01 | Item 8.01 | Exhibit No 99_1 Text | Exhibit No 99_1 URL | Exhibit No 99_2 Text | Exhibit No 99_2 URL | URL | SIC | SIC Description | Category | Name of Exchanges | EDGAR Company URL |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
12/01/2023 | 0001193125-23-287449 | 23andMe Holding Co. | 8-K/A | 1804591 | ['ME'] | On October 10, 2023, 23andMe Holding Co. (the “Company,” “23andMe,” “we,” “us,” and “our”) filed a Current Report on Form 8-K (the “Original Form 8-K”) reporting that it learned that certain user profile information, which a 23andMe user (each, a “user” and collectively, the “users”) creates and chooses to share with their genetic relatives in 23andMe’s DNA Relatives feature, was accessed and downloaded from individual 23andMe.com (the “23andMe website”) user accounts (the “incident”) by a threat actor (the “threat actor”). The Company is filing this Amendment No. 1 to the Original Form 8-K (this “Amendment”) to provide supplemental information regarding the incident. Except as expressly set forth herein, this Amendment does not amend the Original Form 8-K in any way and does not modify or update any other disclosures contained in the Original Form 8-K. This Amendment supplements the Original Form 8-K and should be read in conjunction with the Original Form 8-K. On October 1, 2023, a threat actor posted online a claim to have 23andMe users’ profile information. Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity. Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the “Credential Stuffed Accounts”). The information accessed by the threat actor in the Credential Stuffed Accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the Credential Stuffed Accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this Amendment, the Company believes that the threat actor activity is contained. 23andMe is in the process of providing notification to users impacted by the incident as required by applicable law. While no company can ever completely eliminate the risk of a cyber attack, the Company has taken certain steps to further protect its users’ data. For example, on October 10, 2023, 23andMe required all users to reset their passwords, and on November 6, 2023, 23andMe required all new and existing users to login into the 23andMe website using two-step verification going forward. As of the filing date of this Amendment, the Company expects to incur between $1 million and $2 million in onetime expenses related to the incident during its fiscal third quarter ending December 31, 2023, primarily consisting of technology consulting services, legal fees, and expenses of other third-party advisors. The Company believes that such expenses and the direct or indirect business impacts of the incident could negatively affect its financial results. As of the filing date of this Amendment, the Company is not able to predict whether such direct or indirect impacts of the incident could have a material effect on its financial condition and/or results of operations for the fiscal year ending March 31, 2024. As of the filing date of this Amendment and as a result of the incident, multiple class action claims have been filed against the Company in federal and state court in California and state court in Illinois, as well as in British Columbia and Ontario, Canada, which the Company is defending. These cases are at an early stage, and the Company cannot predict the outcome. The Company is also assessing its response to notices filed by consumers under the California Consumer Privacy Act and to inquiries from various governmental officials and agencies. The full scope of the costs and related impacts of this incident and related litigation, including, without limitation, the availability of insurance to offset some of these costs, cannot be estimated at this time. While the Company believes the investigation into these matters is complete, the Company may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. All information provided in this Amendment is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law. Forward-Looking Statements This Amendment contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance, or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational, and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise, or corruption of data, loss of business, reputational damage adversely affecting user relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities, and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. This Amendment includes several website addresses. These website addresses are intended to provide inactive, textual references only. The information on these websites is not part of this Amendment. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto. | https://www.sec.gov/Archives/edgar/data/1804591/000119312523287449/d242666d8ka.htm | 2834 | Pharmaceutical Preparations | Accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001804591 | ||||||
10/10/2023 | 0001193125-23-253488 | 23andMe Holding Co. | 8-K | 1804591 | ['ME'] | 23andMe Holding Co. (“23andMe,” “we,” “us,” and “our”) recently learned that certain profile information, which a customer creates and chooses to share with their genetic relatives in the DNA Relatives feature, was accessed from individual 23andMe.com accounts without the account users’ authorization (the “incident”). Based on 23andMe’s investigation as of the date of this Current Report on Form 8-K, we do not have any indication at this time that there has been a data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks. While our investigation is ongoing, as of the date of this Current Report on Form 8-K, we believe the threat actor was able to access certain accounts in instances usernames and passwords that were used on 23andMe.com were the same as those used on other websites that had been previously compromised or otherwise available. 23andMe undertook immediate action in accordance with its incident response plan, including taking affirmative security measures to mitigate any potential impact of the incident, working to validate whether data that was accessed was legitimate data from the Website, and determining the full scope of data accessed by unauthorized individuals. 23andMe has retained third-party forensic experts to assist in an investigation of the cause and scope of the incident, and in mitigating and remediating the impact of the incident. 23andMe is fully cooperating with federal law enforcement in relation to this incident. 23andMe is currently working to confirm the scope of data accessed, and is investigating the nature of the personal data in question and any related legal obligations. 23andMe’s investigation into these matters is preliminary and on going, and 23andMe is still discerning the implications of the incident. During the course of the investigation, 23andMe may become aware of new or different information or information that differs from that contained in this Current Report on Form 8-K. At this time, 23andMe is unable to predict the costs and magnitude of those consequences. Forward-Looking Statements This Current Report on Form 8-K contains “forward-looking” statements, which are subject to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, including statements regarding 23andMe’s understanding of the cause of the incident, the scope of the incident, the persons or organizations that may be responsible for the incident, the status and results of the investigations to data, and the potential impact of the incident on 23andMe’s business operations and financial results and condition. These forward-looking statements are based on management’s beliefs and assumptions and on information currently available to management, which may change as investigations proceed and new or different information is discovered. Forward-looking statements include all statements that are not historical facts and may be identified by terms such as “aim,” “anticipate,” “believe,” “can,” “could,” “seek,” “should,” “feel,” “expect,” “will,” “would,” “plan,” “intend,” “estimate,” “continue,” “may,” or similar expressions and the negatives of those terms. Forward-looking statements involve known and unknown risks, uncertainties and other factors that may cause actual results, performance or achievements to be materially different from any future results, performance or achievements expressed or implied by the forward-looking statements. Factors that could cause or contribute to such differences include, but are not limited to the discovery of new or different information relating to the incident and its mitigation, numerous financial, legal, reputational and other risks to 23andMe related to the incident, including risks that the incident may result in the loss, compromise or corruption of data, loss of business, reputational damage adversely affecting customer relationships and investor confidence, U.S. regulatory investigations and enforcement actions, litigation, indemnity obligations, damages for contractual breach, penalties for violation of applicable laws or regulations, significant costs for remediation and the incurrence of other liabilities; and the possibility that 23andMe’s insurance coverage will cover only certain security and privacy damages and claim expenses may not be available or sufficient to compensate for any and all liabilities that 23andMe may incur related to the incident. All information provided in this Current Report on Form 8-K is as of the date hereof and 23andMe’s undertakes no duty to update this information except as required by applicable law. The information in this report furnished pursuant to Item 7.01 shall not be deemed to be “filed” for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended, nor shall it be incorporated by reference in any filing made by the Company pursuant to the Securities Act of 1933, as amended, other than to the extent that such filing incorporates by reference any or all of such information by express reference thereto. | https://www.sec.gov/Archives/edgar/data/1804591/000119312523253488/d520529d8k.htm | 2834 | Pharmaceutical Preparations | Accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001804591 | ||||||
07/12/2024 | 0000732717-24-000046 | AT&T INC. | 8-K | 732717 | ['T', 'TBB', 'TBC', 'T-PA', 'T-PC'] | On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023, as described below. The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. Current analysis indicates that the data includes, for these periods of time, records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network. These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number. AT&T has taken additional cybersecurity measures in response to this incident including closing off the point of unlawful access. AT&T will provide notice to its current and former impacted customers. On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended. As of the date of this filing, AT&T does not believe that the data is publicly available. As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations. | https://www.sec.gov/ix?doc=/Archives/edgar/data/732717/000073271724000046/t-20240506.htm | 4813 | Telephone Communications (No Radiotelephone) | Large accelerated filer | ['NYSE', 'NYSE', 'NYSE', 'NYSE', 'NYSE'] | https://www.sec.gov/edgar/browse/?CIK=0000732717 | ||||||
04/08/2024 | 0001213900-24-031252 | B. Riley Financial, Inc. | 8-K | 1464790 | ['RILY', 'RILYG', 'RILYK', 'RILYL', 'RILYM', 'RILYN', 'RILYO', 'RILYP', 'RILYT', 'RILYZ'] | On April 5, 2024, Targus International, LLC and certain affiliates (collectively, “Targus”), each of which is an indirect subsidiary of B. Riley Financial, Inc. (the “Company”), discovered that a threat actor gained unauthorized access to certain of Targus’ file systems. Upon discovery and with assistance from external cybersecurity counsel and consultants, Targus immediately activated its incident response and business continuity protocols to investigate, contain and remediate the incident. Through this process, proactive containment measures to disrupt unauthorized access resulted in a temporary interruption in the business operations of the Targus network. The incident has been contained and Targus systems recovery efforts are in process. While the investigation is ongoing and the incident has temporarily disrupted Targus’ business operations, as of the date of this filing, the Company does not currently believe that this incident will materially impact the Company’s financial condition or results of operations taken as a whole. Business operations for each of the Company’s other subsidiaries have continued without disruption in all material respects, and no other Company business has been affected. Last year, Targus was not a significant contributor to the Company’s Operating Adjusted EBITDA. Targus has notified relevant regulatory authorities and will work with law enforcement with respect to the unauthorized access to information. | https://www.sec.gov/ix?doc=/Archives/edgar/data/1464790/000121390024031252/ea0203500-8k_briley.htm | 6282 | Investment Advice | Large accelerated filer | ['Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq', 'Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001464790 | ||||||
07/15/2024 | 0001437749-24-022743 | BASSETT FURNITURE INDUSTRIES INC | 8-K | 10329 | ['BSET'] | On July 10, 2024, Bassett Furniture Industries, Incorporated (the “Company”) detected unauthorized occurrences on a portion of its information technology (IT) systems. Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company’s business operations by encrypting some data files. As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities. The Company’s retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted. The Company is working to bring the impacted portions of its IT systems back online and implement workarounds for certain offline operations with the aim of reducing disruption to its ability to serve its retail, e-commerce and wholesale customers. At this time, the Company does not believe personal information from consumers was compromised. The Company continues to work diligently to respond to and mitigate the impact from the incident. As the investigation of the incident is ongoing, the full scope, nature and impact of the incident are not yet known. As of the date of this filing, the incident has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed. The Company has not yet determined whether the incident is reasonably likely to materially impact the Company’s financial condition or results of operations. | https://www.sec.gov/ix?doc=/Archives/edgar/data/10329/000143774924022743/bset20240715_8k.htm | 2511 | Wood Household Furniture, (No Upholstered) | Accelerated filer Smaller reporting company |
['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0000010329 | ||||||
06/14/2024 | 0001280058-24-000048 | BLACKBAUD INC | 8-K | 1280058 | ['BLKB'] | On June 13, 2024, Blackbaud, Inc. (“Blackbaud” or the “Company”) agreed to a Final Judgment and Permanent Injunction with the Attorney General of the State of California (the “Final Judgment”) relating to the previously disclosed 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the last remaining U.S. state attorney general investigation into the Security Incident. Under the terms of the settlement, the Company has agreed to comply with applicable laws; not to make misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements, and similar matters; and to implement and improve certain cybersecurity programs and tools. The terms of the settlement with California are generally consistent with those to which Blackbaud agreed in settling with the other 49 state Attorneys General and the District of Columbia on October 5, 2023, as previously disclosed. As part of the settlement, the Company also agreed to pay a total of $6.75 million to the State of California. This amount was fully accrued as a contingent liability in the Company’s financial statements as of March 31, 2024. By agreeing to the Final Judgment, Blackbaud has denied wrongdoing or liability of any kind. Nothing contained in the Final Judgment is intended to be, and shall not in any event be construed or deemed to be, an admission or concession or evidence of any liability or wrongdoing whatsoever on the part of Blackbaud or any fact or violation of law, rule, or regulation. The foregoing description is qualified in its entirety by reference to the full text of the Final Judgment attached hereto as Exhibit 99.1 and incorporated by reference herein. | Final Judgment and Permanent Injunction of the State of California, County of San Diego, dated June 13, 2024 | https://www.sec.gov/Archives/edgar/data/1280058/000128005824000048/blackbaudjudgmentfinal.htm | https://www.sec.gov/Archives/edgar/data/1280058/000128005824000048/blkb-20240613.htm | 7372 | Services-Prepackaged Software | Large accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001280058 | ||||
05/16/2024 | 0001280058-24-000042 | BLACKBAUD INC | 8-K | 1280058 | ['BLKB'] | As previously disclosed, Blackbaud, Inc. (the “Company”) is a defendant in putative consumer class action cases in U.S. federal courts, which have been consolidated under multi district litigation to a single federal court, the United States District Court for the District of South Carolina Columbia Division (the “Court”) (Case No.:3:20-mn-02972-JFA) alleging harm from a 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). The plaintiffs in this case, who purport to represent various classes of individual constituents of the Company’s customers, generally claim to have been harmed by alleged actions and/or omissions by the Company in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees and other related relief. On May 14, 2024, the Court issued a memorandum opinion and order (1) denying the multi district litigation plaintiffs’ motion for class certification because of the plaintiffs’ failure to meet their burden of proof as to ascertainability, (2) granting the Company’s motion to exclude the multi district litigation plaintiffs’ expert on the issue of ascertainability, and (3) denying the multi district litigation plaintiffs’ motion to exclude the Company’s expert on the issue of ascertainability. Further, the Court denied as moot all other pending motions. The Court’s determination as to these motions is subject to potential appeal to the Fourth Circuit Court of Appeals (the “Fourth Circuit”), and this litigation remains ongoing without regard to whether any such appeal is sought by the plaintiffs or granted by the Fourth Circuit. For additional information regarding the Company’s customer constituent class actions or other matters related to the Security Incident, see the Company’s most recently filed Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission on May 1, 2024. The information set forth in this Item 7.01 of this Current Report on Form 8-K shall not be deemed “filed” for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”) or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference in any filing under the Securities Act of 1933, as amended, or the Exchange Act, regardless of any general incorporation language in such filing, unless expressly incorporated by reference in such filing. | https://www.sec.gov/Archives/edgar/data/1280058/000128005824000042/blkb-20240514.htm | 7372 | Services-Prepackaged Software | Large accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001280058 | ||||||
02/02/2024 | 0001140361-24-005318 | BLACKBAUD INC | 8-K | 1280058 | ['BLKB'] | On February 1, 2024, the U.S. Federal Trade Commission (the “FTC”) announced its approval of a settlement with Blackbaud, Inc. (the “Company”) relating to the previously announced 2020 security incident in which a cybercriminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). When finalized, this settlement will fully resolve the previously disclosed FTC investigation relating to the Security Incident, which is further described in the FTC’s complaint and proposed order. Under the terms of the FTC’s proposed order, the Company has agreed to certain conditions, which are reflected in their entirety in the FTC’s proposed order. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment. The Company has agreed to the FTC’s proposed order without admitting or denying any of the allegations in the FTC’s complaint, except as expressly stated otherwise in the FTC’s proposed order. The foregoing description is qualified in its entirety by reference to the full text of the form of the FTC’s proposed order attached hereto as Exhibit 99.2 and incorporated by reference herein. | Press release dated February 2, 2024 announcing the FTC’s proposed order. | https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_ex99-1.htm | Form of FTC’s proposed order. | https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_ex99-2.htm | https://www.sec.gov/Archives/edgar/data/1280058/000114036124005318/ef20020562_8k.htm | 7372 | Services-Prepackaged Software | Large accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001280058 | ||
10/05/2023 | 0001280058-23-000040 | BLACKBAUD INC | 8-K | 1280058 | ['BLKB'] | On October 5, 2023, Blackbaud, Inc. (“Blackbaud” or the “Company”) entered into separate, substantially similar Assurances of Voluntary Compliance or Assurances of Discontinuance with each of 49 state Attorneys General and the District of Columbia (collectively, the “Administrative Orders”) relating to the previously announced 2020 security incident in which a cyber criminal removed a copy of a subset of data from the Company’s self-housed environment (the “Security Incident”). This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multistate Investigation”), which is further described in the substantially similar Administrative Orders filed today in each of the 49 states and the District of Columbia. Under the terms of the Administrative Orders, the Company has agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to Blackbaud customers or the individuals whose data is stored by the Company concerning (a) the extent to which Blackbaud protects the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools. As part of the Administrative Orders, the Company also has agreed to pay a total of $49.5 million to the 49 states and District of Columbia. The Company expects to pay the full settlement amount to each state and the District of Columbia in October 2023 from its existing liquidity. This amount was fully accrued as a contingent liability in the Company’s financial statements as of June 30, 2023. The Company has entered into the Administrative Orders without admitting fault of liability in connection with the matters subject to the Multistate Investigation. The foregoing description is qualified in its entirety by reference to the full text of the form of Administrative Order attached hereto as Exhibit 99.2 and incorporated by reference herein. As previously disclosed, the Office of the Attorney General of the State of California did not participate in the Multistate Investigation and has issued a separate Civil Investigative Demand related to the Security Incident, which has not been resolved. Although the Company is hopeful that it can resolve this matter on acceptable terms, there is no assurance that it will be able to do so on terms acceptable to the Company and to the State of California. | Press release dated October 5, 2023, announcing the Administrative Orders | https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkbex991agsettlementpress.htm | SEC Form of Administrative Order | https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkbex992formofadministrat.htm | https://www.sec.gov/Archives/edgar/data/1280058/000128005823000040/blkb-20231005.htm | 7372 | Services-Prepackaged Software | Large accelerated filer | ['Nasdaq'] | https://www.sec.gov/edgar/browse/?CIK=0001280058 | ||
05/28/2024 | 0001193125-24-147625 | BRANDYWINE OPERATING PARTNERSHIP, L.P. | 8-K/A | 1060386 | [] | As disclosed in the Original Report, on May 1, 2024, the Company detected unauthorized occurrences by a third party on portions of the Company’s information technology (“IT”) systems. Upon detecting the unauthorized occurrences, the Company promptly initiated its previously established response protocols and began taking steps to contain, assess and remediate the cybersecurity incident, including beginning an investigation with leading external cybersecurity experts, activating its incident response plan, shutting down portions of the IT systems and notifying law enforcement. The detected occurrences consisted of the third party’s unauthorized access to, and deployment of encryption to, a portion of the Company’s internal corporate IT systems and the exfiltration of certain files, including files containing personal information. The cybersecurity incident caused disruptions, and limitation of access, to portions of the Company’s business applications supporting aspects of the Company’s operations and corporate functions, including financial and operating reporting systems. The Company’s real estate operations have continued throughout the period since the detection of the cybersecurity incident in all material respects. As a result of the Company’s remediation and other activities, as of the date this Amendment, the Company believes that (i) the third party has been removed from the Company’s IT systems, (ii) the Company’s access to the affected information has been restored and (iii) the procedures performed have confirmed the completeness and integrity of the impacted information. The Company’s investigation of the cybersecurity incident, including the Company’s assessment of the scope of personal information included in the exfiltrated information, remains ongoing. The Company intends to provide required notifications to affected and potentially affected parties and to regulatory agencies. As part of its remediation activities, the Company is evaluating additional procedures and software to strengthen its surveillance of cybersecurity threats and to prevent unauthorized occurrences on or conducted through its IT systems and to strengthen its information backup systems. The Company currently expects that a substantial portion of its direct costs incurred relating to containing, investigating and remediating the cybersecurity incident will be reimbursed through insurance recoveries. As of the date of this Amendment, the cybersecurity incident has not had a material impact on the Company’s financial condition or results of operations, and the Company does not believe the cybersecurity incident is reasonably likely to materially impact the Company’s financial condition or results of operations. | https://www.sec.gov/Archives/edgar/data/1060386/000119312524147625/d774339d8ka.htm | 6798 | Real Estate Investment Trusts | Large Accelerated Well Known Seasoned Issuer |
[] | https://www.sec.gov/edgar/browse/?CIK=0001060386 | ||||||
Filing Date | Company | Trading Symbol |
Filing Date:
Accession Number:
Company:
Form:
CIK:
Trading Symbol:
Item 1.05:
Item 7.01:
Item 8.01:
Exhibit No 99_1 Text:
Exhibit No 99_1 URL:
Exhibit No 99_2 Text:
Exhibit No 99_2 URL:
URL:
SIC:
SIC Description:
Category:
Name of Exchanges:
EDGAR Company URL: