Blackbaud
The dominant nonprofit software provider exposed donor data again—giving histories, wealth indicators, and bank details from charitable organizations.
What happened?
Blackbaud, the world's largest provider of software for nonprofits, universities, and charitable organizations, disclosed another data breach affecting donor records. This isn't Blackbaud's first breach—they've faced multiple incidents, yet continue to hold the most sensitive data about charitable giving in the country.
What data was actually inside?
Donor names, contact information, giving histories, bank account details, and wealth indicators. Fundraising software tracks not just donations but donor capacity—estimated net worth, stock holdings, real estate ownership. This is a financial profile of wealthy Americans.
The data also reveals philanthropic interests—what causes people support, what organizations they trust, what boards they serve on.
Who gets hurt and how?
Donors to universities, hospitals, churches, and charitable organizations. People who gave generously now have their financial profiles exposed. The data enables targeted scams—attackers know who has money, what causes they care about, and how to impersonate the organizations they support.
Wealth indicators make high-net-worth donors prime targets for sophisticated fraud schemes and social engineering.
What did they think they were doing right?
Blackbaud dominates the nonprofit software market. They serve hospitals, universities, and major charities. They have security programs and compliance certifications. After previous breaches, they made public commitments to improve security. Those commitments apparently weren't enough.
Repeat breaches suggest systemic issues that patch-by-patch responses haven't addressed.
What did they not know about their own data?
Blackbaud didn't know how their data landscape had evolved across thousands of nonprofit clients. Decades of donor records, wealth screening data, and payment information accumulate across their platform. Legacy systems, acquired products, and client customizations create complexity.
Previous breaches should have prompted comprehensive data mapping. Apparently they still don't fully understand what they're holding.
What does attribution look like the morning after?
Notifications to nonprofit clients who must then notify their donors. Universities explaining to alumni why their giving records are exposed. Hospitals telling grateful patients their donations are now public knowledge. The breach undermines donor trust across the entire nonprofit sector.
For Blackbaud, another breach adds to a pattern that regulators, clients, and plaintiffs will reference in demanding accountability.
What would have changed the outcome?
Actually mapping donor data after previous breaches—and acting on it.
If Blackbaud had comprehensively mapped their data landscape after earlier incidents—every donor record, every wealth indicator, every bank account—they could have identified and protected sensitive data before this breach. Repeat offenders should know their data by now. Clearly, Blackbaud still doesn't.
Don't Learn What You Have From an Attacker
Blackbaud keeps learning about their data exposure from attackers. Risk Finder shows you first.
Start Your Risk Assessment