Blackbaud Settles Ransom After 2020 Data Breach, Amid Global Ransomware Surge

In a stark reminder of how ransomware remains the most common cyber‑attack vector, South Carolina‑based cloud software provider Blackbaud has publicly confirmed that it paid an undisclosed ransom to unlock client data after a breach discovered in May 2020. The company, which markets itself as the “world’s leading cloud software company powering social good,” serves nonprofits and higher‑education institutions, including the American Diabetes Association, the University of London, Oxford, YWCA Chicago, and the homeless charity Crisis.

Blackbaud’s statement clarified that the attack began in February and was halted before full encryption could occur. While the cyber‑criminals had removed a subset of data from a backup server, Blackbaud’s security team, together with independent forensic experts and law enforcement, expelled the intruders and prevented further damage. Despite this, the company opted to pay the ransom “to protect our customers’ data,” asserting that the removed data had been destroyed and would not be misused or publicly released.

Delayed Disclosure Raises Questions

The company notified affected partners in July, citing the need to “defend against the attack, conduct investigations, address root causes, and prepare resources.” Critics, such as Aberdeen University, have highlighted the delay and are reviewing contractual security provisions. The incident prompted a formal report to the UK Information Commissioner’s Office (ICO).

Ransomware Trends Continue to Escalate

Parallel to Blackbaud’s case, SonicWall Capture Labs released its 2020 Mid‑Year Cyber Threat Report, reporting a 20% increase in ransomware worldwide during the first half of 2020. The U.S. saw a 109% rise in attacks (79.9 million), while the U.K. experienced a 6% decline (5.9 million). The report also notes a surge in COVID‑19‑themed phishing and a 50% increase in IoT malware attacks—an indicator of the expanding threat surface as work shifts online.

Practical Guidance for Organizations

To safeguard against similar incidents, organizations should consider the five steps outlined in the NordLocker article. Additional resources are available from the UK National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO):

• NCSC: Suspicious Email Actions
• NCSC: Top Tips for Staying Secure Online
• Equifax: Spotting Phishing Emails
• ICO: Identity Theft

Author: Jeremy Cowan, Editorial Director of VanillaPlus, The Evolving Enterprise, and IoT Now. * Jeremy Cowan is an alumnus of Aberdeen University, Scotland.