Some Blackbaud Customers had Sensitive Data Stolen in Ransomware Attack

Blackbaud has confirmed in a recent U.S. Securities and Exchange Commission (SEC) Form 8-K filing that the ransomware attack it experienced in May 2020 did not only involve donors’ personal information. Some of its customers also had sensitive information such as bank account details, Social Security numbers, and usernames and passwords exposed or stolen in the attack.

When Blackbaud discovered the ransomware attack in May 2020, its Cyber Security team took prompt action and was able, with assistance from independent forensics experts and law enforcement, to successfully prevent the ransomware from fully encrypting files and successfully expelled the hackers from its network. Prior to deploying the ransomware, the hackers had exfiltrated a subset of data from Blackbaud’s systems, although only for a small percentage of its clients. In order to prevent the exposure of the stolen data, Blackbaud paid the ransom demand. The amount paid has not been publicly disclosed.

Initially, it was thought that the breach was limited to donor information and that sensitive data had not been accessed by the hackers; however, after July 16, the forensic investigation of the breach confirmed that, for certain customers, some sensitive data may have been accessible. In the majority of cases, fields in the database that contained sensitive information had been encrypted so sensitive data could not be viewed. Some fields intended to be used for sensitive data were found not to have been encrypted. Starting on September 27, 2020, Blackbaud sent additional notifications to all customers who had sensitive data exposed.

Blackbaud said that the investigation into the breach is continuing and efforts to improve security are ongoing. If and when further information about the breach is discovered, customers, stockholders, and other stakeholders will be informed.

Due to the data breach reporting requirements of the Health Insurance Portability and Accountability Act (HIPAA) in the United States, all HIPAA-covered entities and business associates of HIPAA-covered entities are required to report data breaches to the Department of Health and Human Services’ Office for Civil Rights (OCR) within 60 days of discovering a breach.

More than 3 dozen entities have now submitted breach reports to OCR confirming they have been affected. Almost 10 million individuals are now known to have been affected. The total number of organizations and individuals affected may never be known, as other industry sectors do not have the same requirements to report breaches.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of