Blackbaud, a South Carolina-based software company, has been ordered by the California Attorney General’s Office to pay $6.75 million to settle a ransomware attack that took place in May 2020.

The attack occurred due to poor security practices, the AG’s office said.

After Blackbaud revealed that the threat actors compromised unencrypted Social Security numbers, bank account details, and login credentials, the company “then made misleading statements about the sufficiency of its data security efforts prior to the breach and about the extent of the breach to its nonprofit customers and the public,” stated the Attorney General’s press release. “These actions violated the Reasonable Data Security Law, Unfair Competition Law, and the False Advertising Law related to data security.”