Blackbaud, the world’s largest provider of cloud software for nonprofits, universities, healthcare organizations, and foundations, disclosed in July 2020 that it had suffered a ransomware attack between February and May 2020. Before encrypting systems, the attackers exfiltrated donor and constituent data. Blackbaud paid the ransom and claimed to have received confirmation the data was destroyed — but initial disclosures downplayed the breach’s scope. In subsequent SEC filings, Blackbaud admitted the stolen data included Social Security numbers, bank account information, and credentials — contradicting their initial disclosures. The breach affected thousands of Blackbaud clients including hundreds of universities, healthcare organizations, charities, and nonprofits across the US, UK, Canada, and Australia. Notable affected organizations include University of California, Northwestern University, Rhode Island School of Design, 49ers Foundation, and numerous NHS trusts. In 2023, the FTC finalized a settlement with Blackbaud requiring comprehensive security improvements and prohibiting misleading security claims. Blackbaud also paid $3 million to the SEC for misleading disclosures about the breach scope, and $49.5 million to settle multistate attorney general investigations (49 states) — one of the largest AG multistate breach settlements.