A quick guide to the Blackbaud data breach

University students sit chatting in a library
Share on facebook
Share on twitter
Share on linkedin


In May 2020, over 100 educational, charitable, and third-sector organisations had their customer, donor, and membership data stolen. The breach happened when Blackbaud – a firm that provides administration, fundraising, and financial management software – was targeted by cybercriminals in a devastating cyber-attack. The hackers demanded a ransom in exchange for deleting the data, which Blackbaud paid.

Information stolen in breaches is often used to commit cybercrime. Similar data breaches have resulted in fraud, blackmail, and identity theft, so those affected by the breach are at high risk of being targeted by cybercriminals.

Despite this, Blackbaud took weeks to warn its customers that their data had been stolen. This left victims of the hack at risk of further attacks as they did not realise their data was in the hands of criminals and that they needed to be extra vigilant.

Furthermore, despite initially claiming that financial data had not been stolen, Blackbaud later admitted that bank account information and users’ passwords were among details feared accessed by hackers (although not everyone will have had their financial details compromised). 

According to the Information Commissioner’s Office (ICO), the Blackbaud data breach affected 166 UK organisations.

Which organisations were affected by the Blackbaud data breach?

Some of the organisations who have confirmed they were impacted by the breach include:

  • National Trust
  • Crisis UK
  • Shelter UK
  • Sue Ryder
  • Action on Addiction
  • Breast Cancer Now
  • Maddabi GB
  • Myeloma UK
  • The Urology Foundation
  • Young Minds
  • MS Trust
  • StopItNow
  • The Donkey Sanctuary
  • Manchester Foundation Trust
  • Autistica
  • Leeds International Piano Competition
  • University of Newcastle
  • University of Northampton
  • Oxford Brookes University
  • University of Reading
  • Robert Gordon University
  • Selwyn College, Cambridge
  • Boaz Trust
  • Overthewall
  • ACS International Schools
  • Radley College
  • St Albans School Hertfordshire
  • Stonyhurst College
  • University of Aberdeen
  • Aberystwyth University
  • University of Birmingham
  • Birmingham City University
  • Brasenose College, Oxford
  • University of Bristol
  • Brunel University, London
  • Cumbria University
  • De Montfort University
  • University of Durham,
  • University of East Anglia
  • University of South Wales
  • St John’s College, Cambridge
  • Staffordshire University
  • University of Strathclyde
  • University of Sussex
  • University College, Oxford

Has your data been compromised in the Blackbaud data breach?

By now, all organisations affected by the Blackbaud data breach should have been informed. These organisations should also have contacted any customer, member, donor etc. whose personal data was accessed in the breach.

Many of those who have received confirmation are now understandably concerned. The damage that can be caused if cybercriminals use this financial and personal information fraudulently could be significant.

What data was stolen?

The information accessed depends on the institution involved. According to the BBC this could include:

  • Personal data such as names, dates of birth, and gender
  • Postal addresses, telephone numbers and email addresses
  • Passwords
  • Car licence details
  • Employer details
  • Donor info including:
    • Engagement with fundraising and other events
    • Estimated wealth and identified assets
    • Total number and value of past donations to the organisation in question
    • Wider history of philanthropic and political gifts
    • Spouses’ identity and past gift-giving
    • Likelihood to make a bequest triggered by their death

Blackbaud has also admitted that bank account information was among the details feared accessed by hackers. Although not everyone will have had their financial details compromised.

What happens now?

The ICO, which is the UK’s data protection regulator, has reprimanded Blackbaud over this data breach. And we understand that this breach is still undergoing investigation by the ICO.

The ICO can impose substantial fines on organisations in breach of their duties. But it does not award compensation to individuals. The only way to get compensation for this data breach is to make a claim.

If you have been told that your data was involved in this breach, you can join our no-win, no-fee compensation claim. There are no costs to register and no obligation to proceed.

Contact Keller Lenkner to discuss a data breach claim.

Share this article:

Share on facebook
Share on twitter
Share on linkedin