Blackbaud, a leading provider of cloud-based software for nonprofits, will pay $49.5 million to resolve a massive data breach that exposed sensitive information belonging to millions of people across the United States. In October 2023, a multistate coalition of 49 states plus the District of Columbia finalized this settlement after the company discovered on May 14, 2020, that hackers had accessed data stored on its systems. The company delayed announcing the breach publicly for two months—until July 16, 2020—a delay that regulators found particularly troubling given the sensitive nature of the information at stake, including Social Security numbers, driver’s license information, and donor records from thousands of nonprofit organizations.
This settlement represents one of the largest data breach recoveries in recent history and marks a significant moment for nonprofit accountability. Beyond the $49.5 million multistate settlement, California secured an additional $6.75 million separately, bringing the total recovery to approximately $56.25 million. The breach impacted over 13,000 nonprofit software customers who relied on Blackbaud’s platform to manage their operations, meaning millions of consumers—donors, volunteers, and clients of nonprofits—had their personal information compromised. For example, a donor’s complete giving history at a major cancer research nonprofit, along with their Social Security number and home address, became accessible to unauthorized parties.
Table of Contents
- How Did Blackbaud’s Data Breach Happen and Why Did It Take Two Months to Tell Anyone?
- What Information Was Exposed and What Does This Mean for Nonprofit Donors?
- How Many People Were Affected and What Made This Breach So Significant?
- Who Can Claim Settlement Money and What Is the Process?
- What Are the Key Limitations of This Settlement?
- What Has Blackbaud Done Since the Breach?
- What Does This Settlement Mean for the Future of Nonprofit Data Security?
- Conclusion
How Did Blackbaud’s Data Breach Happen and Why Did It Take Two Months to Tell Anyone?
Blackbaud discovered the breach on May 14, 2020, but did not publicly announce it until July 16, 2020—a 63-day gap that regulators across the country viewed as a serious failure. During those two months, millions of individuals had no idea their personal information was exposed to potential misuse. The company’s delayed notification meant that nonprofit organizations using Blackbaud’s software couldn’t immediately warn their donors, employees, and beneficiaries to take protective measures against identity theft or fraud.
Regulators found that Blackbaud had not implemented adequate security measures to prevent the breach in the first place and, worse, had neglected to fix known security vulnerabilities that could have prevented the hack. The company also provided incomplete, inaccurate, and misleading breach notifications to its customers. According to state attorneys general, Blackbaud downplayed the severity of the incident and misrepresented notification requirements to the nonprofits relying on their platform. This pattern of failure—inadequate security, known unfixed vulnerabilities, and delayed/inaccurate notification—formed the core of the allegations against the company and became the basis for the multistate settlement.
What Information Was Exposed and What Does This Mean for Nonprofit Donors?
The scope of data exposed in the Blackbaud breach was extensive and dangerous. Hackers accessed Social Security numbers, driver’s license numbers, complete donation histories, contact information, demographic data, employment history, and in some cases, protected health information. For a donor who had given to a health-related nonprofit over many years, the breach could expose not only their financial contributions but also sensitive health details that they shared in confidence with the organization. This combination of data makes identity theft particularly easy and leaves victims vulnerable to fraud, credit manipulation, and other crimes.
one critical limitation of the settlement is that it cannot undo the exposure that already occurred. The monetary compensation is meant to help offset the costs of credit monitoring, identity theft protection, and time spent managing the consequences of the breach, but it cannot restore the privacy that was lost. Nonprofit donors and beneficiaries should understand that this settlement, while substantial, is focused on holding Blackbaud financially accountable and funding victim compensation—it doesn’t change the fact that their information was already in the hands of criminals. Additionally, not all affected individuals may be eligible for the settlement, and those who are will likely receive a modest payment that varies depending on how many valid claims are filed.
How Many People Were Affected and What Made This Breach So Significant?
The Blackbaud breach impacted 13,000 or more nonprofit software customers, which translates to millions of individual consumers—donors, volunteers, board members, and clients of those organizations. This scale is what elevated the breach from a serious incident to a major crisis affecting the nonprofit sector. Consider a medium-sized nonprofit network: if a single organization using Blackbaud’s platform had 50,000 donors in their database, and the nonprofit shared that database through Blackbaud’s cloud infrastructure, all 50,000 donors’ records were potentially compromised.
Multiply that across thousands of nonprofits, and the breach reached into every corner of American philanthropy. The nonprofit sector is particularly vulnerable to large-scale breaches because many nonprofits lack the cybersecurity resources that larger corporations maintain. A small local food bank or community health center using Blackbaud’s software to manage donor information might have only one part-time IT staff member, making them dependent on third-party vendors to keep their data secure. When a major vendor like Blackbaud fails to implement basic security practices, it creates a domino effect of exposure that no individual nonprofit could have prevented on their own.
Who Can Claim Settlement Money and What Is the Process?
Individuals whose information was exposed in the Blackbaud breach and whose data was not previously subject to another settlement or legal action are generally eligible to file a claim. This typically includes nonprofit donors, volunteers, employees, beneficiaries, and anyone whose information was stored in systems managed by affected Blackbaud customers. The claims process usually involves submitting proof of impact—such as evidence of credit monitoring services purchased, identity theft expenses incurred, or time spent addressing fraud—though some settlements also allow claims based on exposure alone without requiring proof of actual loss.
A significant limitation is that the settlement must be divided among all valid claimants. If 100,000 people file claims against the $49.5 million pool, the average individual recovery would be $495 before administrative costs are deducted. If 500,000 people file claims, that amount drops to under $100 per person. Claimants typically receive settlement payments weeks or months after the claims period closes, and the final amount per claim depends on how the settlement administrator allocates funds based on the total number of valid claims received and the proof of injury submitted.
What Are the Key Limitations of This Settlement?
While $49.5 million is a substantial penalty, it does not fully restore what was lost or prevent future similar breaches. This is an important limitation: regulatory settlements focus on financial accountability, not prevention. Blackbaud faced this massive settlement, but the company remained in business and continued operating its cloud services for nonprofits. Some nonprofit customers continued using Blackbaud after the settlement was announced, while others migrated to different vendors—but the settlement itself did not force any specific changes to the way Blackbaud operates or secures data going forward.
Another limitation is that individual victims typically receive modest payments. The nonprofit sector operates on tight margins, and many smaller nonprofits did not have insurance to cover the breach notification costs, credit monitoring programs, or legal fees they incurred. For those nonprofits, the settlement provides some recovery, but it rarely covers the full cost of the incident. Additionally, individuals whose information was compromised may have experienced identity theft or fraud that continued for years after the breach was discovered—costs that the settlement payment cannot fully address.
What Has Blackbaud Done Since the Breach?
Following the settlement, Blackbaud underwent some changes to its security practices and leadership, but critics argue these changes should have been in place long before 2020. The company implemented enhanced security measures and became more vocal about its data protection commitments, yet the fact remains that the breach happened because basic security practices were not enforced.
The settlement essentially forced the company to pay for neglecting security that should have been standard. For nonprofits using Blackbaud or considering switching to the platform, the breach serves as a sobering reminder to audit any third-party vendor’s security practices before entrusting them with sensitive donor data. Organizations should ask vendors directly about their security certifications, incident response procedures, and breach notification protocols—lessons that the thousands of Blackbaud customers learned the hard way in 2020.
What Does This Settlement Mean for the Future of Nonprofit Data Security?
The Blackbaud settlement established a precedent that technology vendors serving the nonprofit sector will be held accountable for inadequate security and delayed breach notifications. In the years since 2020, nonprofits have become more cautious about data storage and more likely to invest in security upgrades, even on limited budgets. The settlement also signaled to state attorneys general that multistate coordination on data breach cases can yield substantial recoveries—a model that has been replicated in subsequent breach cases.
Looking ahead, the nonprofit sector faces ongoing challenges with cybersecurity. Many smaller organizations still operate with minimal IT infrastructure, making them targets for hackers who know that nonprofits may lack the resources to respond quickly to breaches. The Blackbaud settlement shows that accountability is possible, but only after a breach has already occurred and millions of people have been harmed. Prevention remains the more cost-effective approach, and nonprofits must demand that vendors prioritize security before trusting them with sensitive information.
Conclusion
The Blackbaud $49.5 million settlement, plus California’s additional $6.75 million, represents a major recovery for victims of one of the nonprofit sector’s largest data breaches. The settlement holds a major technology vendor accountable for failing to implement basic security practices, delaying breach notification, and misleading customers about the incident. Millions of people whose information was exposed—donors, volunteers, and beneficiaries of nonprofits—are now eligible to file claims for compensation, though individual payments will likely be modest and depend on the total number of claims filed.
If you believe your information was exposed in the Blackbaud breach, you should gather any documentation of related expenses (credit monitoring, fraud recovery costs, time spent addressing identity theft) and file a claim before the claims deadline. The settlement window is typically limited, and late claims are usually rejected. For nonprofits, this breach underscores the importance of vetting vendors thoroughly and maintaining control over sensitive donor data whenever possible. The lesson is clear: accountability matters, but prevention is far more important than any settlement payout could ever be.