An Unlocked Digital Vault

Blackbaud, Inc. is a massive corporation, managing the sensitive data of over 45,000 nonprofits, hospitals, and universities. On February 7, 2020, an attacker used a customer’s login credentials to walk into their digital fortress. According to the Federal Trade Commission (FTC) complaint (Docket No. C-4804), that attacker remained inside, undetected, for over three months.

It was not until May 20, 2020, that an engineering team member noticed a suspicious login. By then, it was too late. The intruder had moved freely across Blackbaud’s networks, exploiting existing vulnerabilities to create their own administrator accounts and siphon off massive amounts of data belonging to tens of thousands of Blackbaud’s customers.

The Non-Financial Ledger: Your Life, Unencrypted

The scale of the company’s negligence is staggering. The data stolen was not just names and emails. Blackbaud’s “deficient encryption practices” meant the attacker exfiltrated a complete digital profile of millions of people, all of it unencrypted and unprotected.

The stolen files included: Social Security numbers, bank account information, estimated wealth, home addresses, phone numbers, medical record identifiers, treating physician names, health insurance information, reasons for seeking medical treatment, religious beliefs, marital status, and employment information, including salaries. They even hoarded data from former customers for years longer than necessary, expanding the blast radius of their failure.

This is the non-financial ledger of the damage. It is a permanent record of betrayal, where the most intimate details of a person’s health, faith, and finances were treated as disposable and left wide open for theft.

Legal Receipts: Their Own Words, Our Evidence

After paying the hacker a ransom of 24 Bitcoin (valued at $235,000 at the time) for a promise to delete the data—a promise they admit they cannot verify—Blackbaud finally notified its customers on July 16, 2020. That notification was a calculated deception.

“The cybercriminal did not access credit card information, bank account information, or social security numbers. . . No action is required on your end because no personal information about your constituents was accessed.”

The FTC complaint reveals this was a lie. By July 31, 2020, Blackbaud’s own investigation confirmed that the attacker *had* stolen bank account numbers and Social Security numbers. The company sat on this information, leaving millions of people vulnerable, and did not issue a correction until October 2020.

This deception was layered on top of another one. The company’s own privacy policy claimed it maintained “appropriate physical, electronic and procedural safeguards.” The FTC found this to be false, citing a laundry list of failures including weak passwords, no multifactor authentication, and a failure to monitor its own networks for data theft.

Societal Impact Mapping

Public Health & Dignity

The theft of medical data is a profound violation. It exposes people to potential discrimination, blackmail, and severe emotional distress. Information about why you sought treatment or who your doctor is belongs to you. Blackbaud’s negligence turned that private trust into a commodity for cybercriminals.

Economic Inequality

The harm from this breach falls directly on working people. While a billion-dollar company negotiated a settlement with regulators, its customers and their donors were left to deal with the fallout. The FTC notes that since the breach, Blackbaud received multiple complaints involving attempted identity theft and fraud using the stolen information, including credit card, tax, and unemployment scams. The cost of credit monitoring, frozen accounts, and stolen identities is paid by the victims, not the corporation that failed them.

What Now? A Watchlist For The Powerless

The FTC’s “Decision and Order” against Blackbaud contains no financial penalty. The corporation was ordered to delete the data it should have already deleted and implement a comprehensive security program—the kind of program it should have had in the first place. Blackbaud neither admits nor denies the allegations.

This is not justice. It is a business-as-usual compliance agreement that forces no real accountability for the harm caused. Since the system will not hold them accountable, we must.

Corporate Roles to Watch

• The Chief Executive Officer
• The Chief Information Security Officer
• The Board of Directors

Regulatory Watchlist

• Federal Trade Commission (FTC): This agency had the power to levy significant fines and chose instead to issue a procedural slap on the wrist. They are a watchdog with no teeth when it comes to penalizing corporate negligence that harms millions.

The Resistance

Waiting for regulators to protect you is a failing strategy. True power comes from the ground up. Support mutual aid funds that help victims of identity theft recover. Demand local and federal representatives pass data privacy laws with mandatory, multi-million dollar fines for this level of negligence. A company that makes a billion dollars a year will only change its behavior when the cost of failure outweighs the cost of compliance.