Blackbaud

Blackbaud, a major cloud software provider for non-profits and educational institutions, suffered a ransomware attack affecting Australian charities, universities, and community organisations, prompting OAIC investigation.

What Happened

In May 2020, Blackbaud was hit by a ransomware attack where attackers gained access to customer databases before encrypting systems. Blackbaud paid the ransom and claimed the attackers deleted stolen data, though this could not be independently verified.

The breach affected Blackbaud's fundraising, donor management, and constituent relationship management platforms used by non-profits, charities, universities, and healthcare organisations worldwide, including many Australian entities. Exposed data included donor information, constituent records, and in some cases, financial and health information.

The OAIC confirmed it had made inquiries with Blackbaud and affected Australian organisations regarding the breach and notification obligations under Australian privacy law.

Impact on Individuals

Donors and supporters of Australian charities and non-profits had their personal information potentially exposed, including names, contact details, donation history, and in some cases, bank account details. Universities' alumni and student data were also at risk.

Organisational Response

Blackbaud notified affected organisations, many of which then had to notify their own constituents. Australian charities including major national organisations launched their own investigations and customer notifications. The incident prompted scrutiny of Blackbaud's security practices and the decision to pay the ransom rather than refuse. The OAIC's involvement signaled regulatory attention to cloud service providers' responsibilities for protecting Australian data.