Cyber Incident Victim: Blackbaud

In May 2020, Blackbaud, a cloud software provider serving nonprofit and educational organizations, experienced a ransomware attack on its self-hosted environment. The company’s Cyber Security team detected the intrusion and collaborated with independent forensics experts and law enforcement to disrupt the attack before the ransomware fully encrypted files. Despite halting the encryption process and expelling the attacker from its systems, Blackbaud confirmed that the threat actor had exfiltrated a copy of a subset of data prior to being locked out. The company subsequently paid an undisclosed ransom to the attackers, though it did not publicly clarify the rationale for this decision. Blackbaud delayed notifying affected customers about the breach until July 2020—approximately two months after the incident—prompting concerns from clients about the lag in disclosure. The company issued a public statement and website advisory acknowledging the attack but declined to provide additional details beyond its initial announcement when questioned by media outlets.

The incident highlighted emerging ransomware tactics, where attackers increasingly exfiltrate data to pressure victims into paying ransoms, particularly when backups limit the effectiveness of encryption-based extortion. Blackbaud’s payment contradicted UK government guidance advising against rewarding cybercriminals, which emphasizes that ransoms sustain criminal enterprises and provide no guarantee of data recovery or deletion. While Blackbaud asserted its announcement timing was unrelated to contemporaneous high-profile Twitter account hijackings, the delayed notification compromised customers’ ability to promptly assess risks associated with the stolen data subset. The company did not disclose specific data types impacted or the number of affected organizations, nor did it confirm whether attackers honored their deletion agreement after receiving payment.