Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach

Oct. 5, 2023 (DENVER) – Attorney General Phil Weiser joined 49 other attorneys general in a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that affected thousands of nonprofits and millions of consumers across the country. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Colorado will receive over $785,000 from the settlement.

Blackbaud provides contact and donor management software to 13,000 nonprofit and government organizations, including charitable, education, health care, religious, and cultural organizations. The 2020 breach exposed contact and demographic information, Social Security and driver’s license numbers, financial and employment information, donation history, and protected health information.

Today’s settlement resolves allegations that Blackbaud violated state and federal consumer protection, data security, and health information laws by failing to implement reasonable data security and remediate known security gaps, allowing criminals to gain access to Blackbaud’s network. The company then failed in their obligation to provide customers with timely, accurate information about the incident. Affected consumers received significantly delayed notifications about the event or no notification at all. Blackbaud also downplayed the incident, leading customers to believe that no notification was required.

“Blackbaud failed the organizations that relied on the company for cybersecurity, and in doing so broke the law,” said Weiser. “While we can’t go back and undo the harm consumers experienced, this bipartisan coalition of attorneys general fought to ensure community institutions and consumers will be better protected in the future.”

Under the settlement, Blackbaud agrees to strengthen its data security and breach notification practices. This includes prohibiting the company from misrepresentations related to the handling of, and responsibilities related to, personal data. The company will also be required to implement plans for adequate responses to future breaches, including providing customers with all required compliance support, notifications to company leadership, employee training, adopting best cybersecurity practices, and undergoing independent compliance checks for seven years.

The $785,000 Blackbaud will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.

###

Attorney General Phil Weiser announces settlement in Savory Spice Shop data breach that impacted more than 13,000 Coloradans

Learn More →

Attorney General Phil Weiser announces settlement with Broomfield skilled nursing facility over 2021 data breach

Learn More →

Most Recent

Attorney General Phil Weiser statement on the states not reaching agreement on future of Colorado River

Feb. 13, 2026 (DENVER) — Attorney General Phil Weiser today issued the following statement in regarding the end of negotiations over future management of the Colorado River without an agreement: “I am disappointed that the seven Basin States could not reach a consensus agreement […]

Attorney General Phil Weiser statement on U.S. EPA revoking a key policy to combat climate change

Feb. 12, 2026 (DENVER) — Attorney General Phil Weiser today issued the following statement in response to the U.S. Environmental Protection Agency’s final rule rescinding the 2009 endangerment finding, which determined that greenhouse gas emissions from motor vehicles contribute to […]

Attorney General Phil Weiser sues Trump administration over unlawful directive to cut more than $600M in federal public health grants

Feb. 11, 2026 (DENVER) – Attorney General Phil Weiser and the attorneys general from California, Illinois and Minnesota today sued the Trump administration over the White House Office of Management and Budget’s directive to unlawfully cut more than $600 million […]