Blackbaud Ransomware: How a Cloud Vendor Breach Hit Hundreds of Universities and Nonprofits

October 8, 2020 Breach

In July 2020, Blackbaud — one of the world's largest providers of cloud-based customer relationship management (CRM) software for nonprofits, foundations, higher education institutions, and healthcare organizations — disclosed that it had been the victim of a ransomware attack in May 2020. The breach affected more than 400 organizations across the United States, United Kingdom, Canada, and the Netherlands. What made the incident particularly damaging was Blackbaud's response: the company paid the ransom, initially assured customers the data was safe, and then gradually revealed that the breach was far worse than first disclosed. The SEC ultimately charged Blackbaud with making misleading disclosures, and the company paid a $49.5 million multistate attorney general settlement.

The Attack and Initial Response

Blackbaud discovered the ransomware attack on May 14, 2020, and stated that its cybersecurity team, working with independent forensics experts and law enforcement, successfully expelled the attacker from its systems. However, before being expelled, the attacker had exfiltrated a copy of a subset of data from Blackbaud's self-hosted cloud environment.

Blackbaud made the controversial decision to pay the ransom. The company stated it received confirmation from the attacker that the stolen data had been destroyed. Blackbaud then notified affected customers in July 2020, approximately two months after discovery — a timeline that drew immediate criticism from security professionals and regulators.

In its initial notification, Blackbaud assured customers that "the cybercriminal did not access credit card information, bank account information, or Social Security numbers." This assurance proved to be false.

The Disclosure Unraveled

As affected organizations conducted their own investigations, the true scope of the breach became clear:

September 2020: Blackbaud filed a Form 8-K with the SEC acknowledging that the attacker had in fact accessed unencrypted Social Security numbers, bank account information, and other sensitive financial data for some customers — directly contradicting its earlier assurance.
Affected organizations included: major universities (University of Birmingham, University of Leeds, De Montfort University, National University of Ireland Galway), healthcare systems (Inova Health System, NorthShore University HealthSystem, Trinity Health), nonprofit organizations (Human Rights Watch, National Trust UK), and K-12 school districts.
Data types exposed: donor names, contact information, dates of birth, donation history, employer information, estimated wealth data, and in many cases, Social Security numbers and financial account details.

Regulatory and Legal Consequences

Blackbaud's handling of the breach triggered multiple enforcement actions:

SEC Charges (March 2023): The U.S. Securities and Exchange Commission charged Blackbaud with making materially misleading statements about the breach. The SEC found that Blackbaud's technology and customer relations personnel had learned that their initial statements about the data not including sensitive information were wrong, but this information was not communicated to Blackbaud's senior management responsible for public disclosures. Blackbaud paid a $3 million civil penalty to the SEC.
Multistate AG Settlement (October 2023): Blackbaud agreed to a $49.5 million settlement with attorneys general from 49 states and the District of Columbia. The settlement also required Blackbaud to implement a comprehensive information security program, including breach response plans, encryption of sensitive data, network segmentation, and regular third-party security assessments.
FTC Consent Order (February 2024): The FTC required Blackbaud to delete unnecessary data, implement a comprehensive security program, and submit to regular third-party assessments.
UK ICO Fine: The UK Information Commissioner's Office also investigated and took enforcement action against Blackbaud for GDPR violations.

TPRM Lesson Learned: The Blackbaud breach demonstrates the cascading consequences of relying on a single cloud vendor without adequate contractual protections or independent security verification. When Blackbaud told its customers the breach was contained and sensitive data was not affected, those organizations passed those assurances on to their own constituents — assurances that proved false. TPRM programs must include independent breach verification rights in vendor contracts, not simply rely on the vendor's self-reporting. Organizations should also evaluate whether their cloud vendor encrypts data at rest, maintains network segmentation between customer environments, and has tested incident response procedures.

Why the Blackbaud Breach Matters for TPRM

The Blackbaud incident highlights several systemic risks in cloud vendor relationships:

Vendor concentration in the nonprofit/education sector: Blackbaud is the dominant CRM platform for the nonprofit and higher education sectors. When a single vendor serves hundreds of organizations in the same industry, a breach at that vendor has sector-wide consequences. Many of the affected organizations had limited cybersecurity resources and relied heavily on Blackbaud's security posture.

The ransom payment dilemma: Blackbaud's decision to pay the ransom and trust the attacker's assertion that stolen data was destroyed has been widely criticized. Security experts note that there is no reliable way to verify that criminals have deleted stolen data. The decision also set a concerning precedent for how cloud vendors handle ransomware incidents affecting their customers' data.

Misleading disclosures compound the damage: Blackbaud's initial assurance that sensitive data was not accessed — later proven false — meant that affected organizations delayed their own breach notifications and failed to provide accurate information to their constituents. The SEC charges explicitly addressed this failure, establishing an important precedent that vendors will be held accountable for the accuracy of their breach disclosures.

Recommendations for Third-Party Risk Management

Require contractual audit and investigation rights. Vendor contracts should grant customers the right to conduct independent forensic investigations following a breach, not rely solely on the vendor's assessment.
Evaluate vendor incident response plans. Before onboarding, assess whether the vendor has a tested incident response plan, a designated incident response team, and clear notification timelines.
Assess data encryption practices. Verify that the vendor encrypts sensitive data at rest and in transit, and that encryption keys are managed securely.
Plan for vendor breach scenarios. Organizations should maintain their own breach notification procedures that can be activated independently of the vendor's timeline.
Monitor vendor regulatory actions. Track SEC filings, FTC enforcement actions, and state AG settlements involving your vendors as ongoing risk indicators.

The Blackbaud ransomware breach serves as a powerful reminder that cloud migration does not eliminate third-party risk — it concentrates it. When hundreds of organizations entrust their most sensitive constituent data to a single vendor, that vendor's security failures become everyone's crisis. Robust vendor risk management is the only defense.

Protect Your Organization from Third-Party Risk

Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.

Free Demo Download Source

Sources & References

SEC Charges Blackbaud Inc. for Misleading Disclosures About Ransomware Attack - U.S. Securities and Exchange Commission, March 2023
$49.5 Million Multistate Settlement with Blackbaud - California Attorney General, October 2023
In the Matter of Blackbaud, Inc. - Federal Trade Commission, February 2024
Security Incident Information - Blackbaud Official Statement
Blackbaud Enforcement Action - UK Information Commissioner's Office