In February 2020, attackers breached Blackbaud — the world’s largest provider of nonprofit and education CRM/fundraising software — and spent approximately five months in the environment before deploying ransomware. Blackbaud paid the undisclosed ransom, claiming it received a promise from the attackers that stolen data was destroyed. Blackbaud did not initially disclose that sensitive data including Social Security numbers, bank account information, usernames, passwords, and healthcare information was stolen — disclosure of the full scope came only after the SEC and multiple state attorneys general investigated. The breach affected over 600 organizations including universities (University of East Anglia, San Diego State University, University of London), hospitals and healthcare charities (Cancer Research UK, Royal Trinity Hospice), and nonprofits worldwide. In the US, affected entities filed notifications with HHS OCR affecting millions of individuals. The FTC and 49 US state attorneys general reached a $49.5 million settlement with Blackbaud in October 2023 over deceptive data practices, the inadequate security that allowed the breach, and the misleading initial disclosure. The SEC separately charged Blackbaud with misleading disclosures, resulting in a $3 million penalty. Blackbaud agreed to implement comprehensive security improvements. The breach demonstrated the severe downstream impact of a single cloud CRM vendor being compromised across hundreds of customer organizations simultaneously.