Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach

Oct. 5, 2023 (DENVER) – Attorney General Phil Weiser joined 49 other attorneys general in a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that affected thousands of nonprofits and millions of consumers across the country. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Colorado will receive over $785,000 from the settlement.

Blackbaud provides contact and donor management software to 13,000 nonprofit and government organizations, including charitable, education, health care, religious, and cultural organizations. The 2020 breach exposed contact and demographic information, Social Security and driver’s license numbers, financial and employment information, donation history, and protected health information.

Today’s settlement resolves allegations that Blackbaud violated state and federal consumer protection, data security, and health information laws by failing to implement reasonable data security and remediate known security gaps, allowing criminals to gain access to Blackbaud’s network. The company then failed in their obligation to provide customers with timely, accurate information about the incident. Affected consumers received significantly delayed notifications about the event or no notification at all. Blackbaud also downplayed the incident, leading customers to believe that no notification was required.

“Blackbaud failed the organizations that relied on the company for cybersecurity, and in doing so broke the law,” said Weiser. “While we can’t go back and undo the harm consumers experienced, this bipartisan coalition of attorneys general fought to ensure community institutions and consumers will be better protected in the future.”

Under the settlement, Blackbaud agrees to strengthen its data security and breach notification practices. This includes prohibiting the company from misrepresentations related to the handling of, and responsibilities related to, personal data. The company will also be required to implement plans for adequate responses to future breaches, including providing customers with all required compliance support, notifications to company leadership, employee training, adopting best cybersecurity practices, and undergoing independent compliance checks for seven years.

The $785,000 Blackbaud will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.

###

Attorney General Phil Weiser announces settlement in Savory Spice Shop data breach that impacted more than 13,000 Coloradans

Learn More →

Attorney General Phil Weiser announces settlement with Broomfield skilled nursing facility over 2021 data breach

Learn More →

Most Recent

Attorney General Phil Weiser statement on SCOTUS opinion striking down law governing firearms on private property

June 25, 2026 (DENVER) – Attorney General Phil Weiser released the following statement after the U.S. Supreme Court struck down a Hawaii law governing firearms on private property: “Today’s decision is disappointing and undermines the ability of states to enact […]

Unlock Partnership Solutions agrees to comply with state consumer lending laws in home equity agreements

June 24, 2026 (DENVER) – Attorney General Phil Weiser today announced that Unlock Partnership Solutions, Inc. has entered into a settlement requiring the company to comply with Colorado’s Uniform Consumer Credit Code and provide restitution to Colorado homeowners who entered […]

Operation Pacifico: Last key member of criminal drug-trafficking ring sentenced to 17 years

June 23, 2026 (DENVER) – A Weld County District Court judge yesterday sentenced George Trevino to 17 years in the Colorado Department of Corrections for conspiracy to distribute methamphetamine, a class 1 drug felony. He is the last of three […]