Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach

Oct. 5, 2023 (DENVER) – Attorney General Phil Weiser joined 49 other attorneys general in a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that affected thousands of nonprofits and millions of consumers across the country. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Colorado will receive over $785,000 from the settlement.

Blackbaud provides contact and donor management software to 13,000 nonprofit and government organizations, including charitable, education, health care, religious, and cultural organizations. The 2020 breach exposed contact and demographic information, Social Security and driver’s license numbers, financial and employment information, donation history, and protected health information.

Today’s settlement resolves allegations that Blackbaud violated state and federal consumer protection, data security, and health information laws by failing to implement reasonable data security and remediate known security gaps, allowing criminals to gain access to Blackbaud’s network. The company then failed in their obligation to provide customers with timely, accurate information about the incident. Affected consumers received significantly delayed notifications about the event or no notification at all. Blackbaud also downplayed the incident, leading customers to believe that no notification was required.

“Blackbaud failed the organizations that relied on the company for cybersecurity, and in doing so broke the law,” said Weiser. “While we can’t go back and undo the harm consumers experienced, this bipartisan coalition of attorneys general fought to ensure community institutions and consumers will be better protected in the future.”

Under the settlement, Blackbaud agrees to strengthen its data security and breach notification practices. This includes prohibiting the company from misrepresentations related to the handling of, and responsibilities related to, personal data. The company will also be required to implement plans for adequate responses to future breaches, including providing customers with all required compliance support, notifications to company leadership, employee training, adopting best cybersecurity practices, and undergoing independent compliance checks for seven years.

The $785,000 Blackbaud will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.

###

Attorney General Phil Weiser announces settlement in Savory Spice Shop data breach that impacted more than 13,000 Coloradans

Learn More →

Attorney General Phil Weiser announces settlement with Broomfield skilled nursing facility over 2021 data breach

Learn More →

Most Recent

Attorney General Phil Weiser suit challenges federal attack on gender-affirming care

Dec. 24, 2025 (DENVER) — Attorney General Phil Weiser today joined a multistate coalition of states in filing a lawsuit to block an unlawful declaration from Health and Human Services Secretary Robert F. Kennedy, Jr. that threatens health care providers […]

Attorney General Phil Weiser sues Trump administration to defend important consumer protection efforts

Dec. 22, 2025 (DENVER) — Attorney General Phil Weiser today joined a coalition of attorneys general in suing the Trump administration to stop the complete defunding of the Consumer Financial Protection Bureau, or CFPB, which has returned more than $21 […]

Attorney General Phil Weiser announces $149.6M settlement with Mercedes-Benz and Daimler in emissions cheating case

Dec. 22, 2025 (DENVER) — Attorney General Phil Weiser today joined a bipartisan coalition of 50 attorneys general announcing a $149,673,750 settlement with Mercedes-Benz USA and Daimler AG for violating state laws prohibiting unfair or deceptive trade practices by marketing, […]