Blackbaud Ransomware Attack: What Users Need to Know in 2026

Last checked: May 28, 2026. This article is based on official SEC, FTC, state attorney general, Blackbaud, CISA and FBI sources. It is an independent editorial explainer, not legal advice or a sponsored post.

Quick answer

The Blackbaud ransomware attack was a 2020 data-theft and ransomware incident at Blackbaud, a major cloud software provider used by nonprofits, schools, universities, health care organizations, religious groups, cultural institutions and foundations. The case matters because one vendor incident affected thousands of customer organizations and potentially millions of people whose donor, student, patient, member or constituent information sat inside those customer systems.

Regulators later focused on more than the intrusion itself. The SEC said Blackbaud agreed to pay a $3 million civil penalty in 2023 to settle charges over misleading disclosures about the incident. A multistate group of attorneys general announced a $49.5 million settlement in 2023. The FTC finalized an order in 2024 requiring Blackbaud to delete unnecessary personal data, improve safeguards, maintain a comprehensive information security program and avoid misrepresenting its data security and retention practices.

For users, the practical takeaway is this: if you received a notice tied to Blackbaud, read the notice from the organization that contacted you, because the data fields varied by customer. Some people may only have had contact or donation history exposed. Others may have had more sensitive fields involved, including Social Security numbers, financial information, health information or account credentials, depending on the customer dataset.

For nonprofits and institutions, the lesson is bigger than one breach. Cloud vendors can concentrate sensitive data across thousands of organizations. Vendor security review, data minimization, encryption, breach-notification planning and tested incident response are not paperwork tasks. They directly shape how much harm follows an attack.

Why this attack still matters

The Blackbaud case is a useful example of modern ransomware because it was not just "files got encrypted." According to the FTC, a hacker exploited weaknesses in Blackbaud's networks in early 2020, went undetected for about three months and removed large amounts of unencrypted sensitive consumer data belonging to Blackbaud customers. Blackbaud then waited nearly two months to notify customers, according to the FTC complaint summary.

That pattern is now common in ransomware and extortion cases. Attackers do not always stop at encryption. They may copy data first, threaten disclosure, pressure the victim to pay and leave customers with breach-notification, fraud, phishing and compliance problems long after systems are restored.

The broader threat environment also remains active. The FBI's 2025 Internet Crime Report said IC3 received more than 1 million complaints of suspected internet crime with reported losses exceeding $20 billion. The FBI also said phishing/spoofing, extortion and investment schemes were among the most frequently reported complaint types. That matters because exposed donor, patient, student and member records can later be used to make targeted scams sound more believable.

What happened in the Blackbaud attack

Blackbaud provides software and data services for social impact organizations. Its customers include nonprofits, education institutions, health care groups, faith organizations and cultural organizations. Many use Blackbaud tools to manage fundraising, donor relationships, constituent records, events, grants, alumni programs and communications.

In early 2020, an attacker gained unauthorized access to Blackbaud systems. Public notices from affected organizations described a ransomware incident in which the attacker copied a subset of customer data before Blackbaud stopped the attack. The exact fields exposed were not identical for every customer because each organization used Blackbaud differently and stored different data.

Blackbaud notified customers in July 2020. The SEC later said that on July 16, 2020, Blackbaud announced the attacker did not access donor bank account information or Social Security numbers. The SEC said company personnel learned within days that the attacker had in fact accessed and exfiltrated sensitive information, but that information did not reach senior management responsible for public disclosure because of inadequate disclosure controls and procedures.

In August 2020, according to the SEC, Blackbaud filed a quarterly report that omitted material information about the scope of the attack and characterized the risk of an attacker obtaining sensitive donor information as hypothetical. The SEC charged the company in 2023, and Blackbaud settled without admitting or denying the SEC's findings.

Timeline

What data was involved

There was no single universal data list for every person affected. The information depended on which Blackbaud product a customer used and what that customer stored.

State attorneys general said the breach exposed categories such as contact and demographic information, Social Security and driver's license numbers, financial and employment information, donation history and protected health information. The FTC case summary also references personal data of millions of consumers, including Social Security and bank account numbers.

For many donor-focused organizations, the exposed data may have included names, addresses, email addresses, phone numbers, donation history, event attendance, relationship notes or prospect-research data. For some education, health care or service organizations, the affected records could have been more sensitive.

If you received a Blackbaud-related notice, do not assume your exposure matches another person's notice. Read the notice from your school, charity, hospital, foundation, museum, religious organization or nonprofit. That organization is usually the one best positioned to tell you which data fields were in its Blackbaud environment.

Who was affected

The direct victim was Blackbaud. The downstream impact reached Blackbaud customers and their constituents.

Affected groups may include:

• Donors to charities, hospitals, schools, universities and foundations.
• Alumni, students, parents and applicants.
• Patients, members, volunteers and program participants.
• Employees or contacts stored in customer relationship systems.
• Nonprofit supporters whose giving, attendance or contact history was recorded.

The Colorado Attorney General's announcement said Blackbaud provided contact and donor management software to 13,000 nonprofit and government organizations and that the event affected thousands of nonprofits and millions of consumers across the country. The SEC similarly described the attack as affecting more than 13,000 customers.

Why regulators cared

The enforcement actions were not only about the attacker. They were also about security practices, data retention, communication and disclosure governance.

The SEC focused on public-company disclosure. Its March 2023 press release said Blackbaud agreed to pay $3 million to settle charges that it made misleading disclosures about the ransomware attack. The agency said employees learned sensitive donor bank account information and Social Security numbers had been accessed and exfiltrated, but that information was not escalated to senior management responsible for disclosure.

The state attorneys general focused on data security and breach response. The Colorado Attorney General's announcement said the multistate settlement resolved allegations that Blackbaud failed to implement reasonable data security, remediate known security gaps and provide timely, accurate information to customers.

The FTC focused on consumer privacy, data security and data retention. Its final order requires Blackbaud to delete personal data it no longer needs to provide products or services, create a data retention schedule, develop a comprehensive information security program, avoid misrepresenting data security and retention practices, and notify the FTC if it experiences a future reportable breach.

Blackbaud's own October 2023 statement said it had resolved the multistate investigation with 49 state attorneys general and the District of Columbia, agreed to pay $49.5 million, and agreed to comply with applicable laws and improve certain cybersecurity programs and tools.

What affected users should do now

If you only heard about the Blackbaud attack years later, the right response depends on whether your specific notice involved sensitive data.

Start with the breach notice. Identify the organization that sent it and the data categories listed. If only names, addresses and donation history were involved, the main risk may be targeted phishing, charity impersonation or social engineering. If Social Security numbers, driver's license numbers, bank account information, health information or credentials were involved, treat it as a higher-risk identity and financial exposure.

Use this checklist:

1. Save the breach notice and any follow-up from the organization.
2. Watch for emails, calls or texts that mention the charity, school, hospital or donation history to make the message feel legitimate.
3. Do not click "breach support" links from unsolicited emails. Go to the organization directly.
4. If a Social Security number was involved, consider a credit freeze at the three major credit bureaus.
5. Review bank, card and donation account activity if financial information may have been involved.
6. Change reused passwords if any username, password or account credential was listed in your notice.
7. Turn on multi-factor authentication for email, banking, donation and school accounts.
8. Report identity theft to IdentityTheft.gov if someone opens accounts or files documents in your name.
9. Report cyber-enabled fraud or extortion to IC3 if you lose money or receive targeted criminal demands.

Credit monitoring can help with some identity risks, but it does not stop all misuse. A credit freeze is stronger for preventing many new-credit accounts from being opened in your name.

Phishing risks after a donor data breach

Donor and constituent data has a social-engineering angle. A scammer does not need a full bank account number to cause harm if they know where you donate, which university you attended, which hospital foundation you supported or which event you attended.

Be cautious with messages that say:

• Your past donation failed and needs to be reprocessed.
• A charity needs updated card details after a breach.
• A scholarship, alumni, hospital or nonprofit portal must be reverified.
• You are owed a refund, tax receipt or settlement payment.
• You must call a support number to protect your account.
• You need to download a secure document viewer to read a breach file.

Real organizations may contact affected people, but they should not ask for passwords, one-time codes, full card numbers or remote-access software. When in doubt, type the organization's known website into your browser or use a phone number from an official statement, not from the suspicious message.

What nonprofits and institutions should do

Organizations that use cloud fundraising, CRM, education or health care platforms should treat Blackbaud as a vendor-risk case study.

First, know what data is in each vendor system. If a fundraising tool does not need Social Security numbers, bank account details, birth dates or old health information, do not store those fields there. The safest data in a breach is data that was deleted before the breach.

Second, test notification and escalation before an incident. The SEC case shows why disclosure controls matter. Security teams, customer success teams, legal teams, privacy officers, executives and communications staff need a defined path for escalating material facts. A breach can become worse when technical findings do not reach the people writing notices, filings or customer updates.

Third, build vendor contracts around operational reality:

• Short breach-notification timelines.
• Clear lists of data processed and retained.
• Encryption requirements for sensitive fields.
• Logging and investigation support.
• Subprocessor visibility.
• Data deletion and return rights.
• Security testing and audit commitments.
• Incident response contacts that work after hours.

Fourth, prepare user communications. Donors, alumni, patients and members want to know what happened, what data was involved, what the organization is doing and what specific steps they should take. Avoid vague language if the affected fields are known.

Security controls that would reduce similar risk

No checklist can guarantee prevention, but the controls below reduce blast radius and improve recovery:

• Multi-factor authentication for administrators and remote access.
• Least privilege for service accounts, support accounts and database access.
• Network segmentation between customer environments and administrative systems.
• Encryption for sensitive fields at rest and in backups.
• Centralized logging with retention long enough for investigations.
• Detection for abnormal database exports and backup access.
• Data retention schedules that delete records no longer needed.
• Tested offline, immutable or access-controlled backups.
• Vendor risk reviews that verify security claims with evidence.
• Tabletop exercises for ransomware, extortion and customer notification.

CISA's StopRansomware guidance emphasizes preparation, prevention, backups and response planning. The Blackbaud case shows why those steps need to include third-party data platforms, not only internally hosted servers.

Was this a ransomware attack, a data breach or both?

It was both.

"Ransomware attack" describes the criminal intrusion and extortion context. "Data breach" describes the unauthorized access and removal of personal information. In Blackbaud's case, the regulatory record is important because the copied data and later communications became central issues. A restored system does not end the incident if sensitive information has already left the network.

This is why many modern ransomware incidents are handled like breach incidents from the beginning. The first response question is not only "can we decrypt files?" It is also "what did the attacker access, copy, delete, stage or attempt to sell?"

Media: ransomware and phishing awareness

These CISA videos are useful for staff training and family safety reminders:

FAQ

Was Blackbaud hacked?

Yes. Regulators described a 2020 intrusion in which a hacker accessed Blackbaud's network and removed customer data. The incident affected many Blackbaud customer organizations and people connected to them.

Did the attack affect every Blackbaud user the same way?

No. The exposed fields depended on each customer's Blackbaud data. One organization's notice may list only contact and donation history, while another may list Social Security numbers, bank account information, health information or credentials.

Did Blackbaud admit wrongdoing?

In the SEC settlement, Blackbaud agreed to pay a civil penalty without admitting or denying the SEC's findings. Blackbaud's public multistate settlement statement said it resolved the state investigation and agreed to pay $49.5 million and improve certain programs and tools.

Why did the SEC get involved?

Blackbaud was a public company. The SEC said the company made misleading disclosures about the ransomware attack and lacked disclosure controls and procedures that would have escalated sensitive facts to senior management responsible for public disclosure.

Why did the FTC get involved?

The FTC alleged that Blackbaud's security failures allowed access to personal data of millions of consumers, including Social Security and bank account numbers. The final order requires deletion of unnecessary data, improved safeguards, breach notification to the FTC in certain future cases and limits on misrepresentations.

Should affected people freeze their credit?

If your notice listed a Social Security number, driver's license number or other identity data, a credit freeze is worth considering. If the notice only involved basic contact or donation information, phishing awareness and account monitoring may be the more relevant steps.

Can criminals still use old breach data?

Yes. Even older data can support phishing, impersonation and identity verification attempts. Old email addresses, donation history, alumni connections and health-affiliated relationships can make scams sound more personal.

What should organizations learn from this?

Delete data that is no longer needed, encrypt sensitive fields, verify vendor controls, require fast incident escalation, test ransomware response and prepare clear breach communications before a crisis.

Sources

• SEC: SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors
• FTC: Blackbaud, Inc. case page
• FTC: FTC Finalizes Order with Blackbaud Related to Allegations the Firm's Security Failures Led to Data Breach
• Colorado Attorney General: Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach
• Blackbaud Investor Relations: Blackbaud Resolves Multi-State Attorneys General Investigation of 2020 Security Incident
• CISA: #StopRansomware Guide
• CISA: StopRansomware.gov
• FBI: FBI Releases Annual Internet Crime Report
• FBI IC3: File a Complaint
• CISA YouTube: Defend Against Ransomware Attacks
• CISA YouTube: How to Avoid Phishing!

Reader protocol

Before you move on

Defensive security explainers. Use this short checklist to turn the article into action.

• Change reused passwords on important accounts.
• Enable multi-factor authentication or passkeys where available.
• Keep a separate backup for files you cannot afford to lose.

HacksByte editorial standard

This guide is written for practical user safety. For account, platform, or legal decisions, confirm critical steps with the official help center or your service provider.