Universities and charities in the UK, US, and Canada have all been affected by a hack that hit software supplier Blackbaud.

Over 20 universities and charities have stated they were affected after Blackbaud – a supplier of administration and financial software – was hacked back in May, with personal data being held for ransom.

Blackbaud agreed to pay the ransom, despite this being against the advice of most law enforcement agencies. Most worryingly, however, it took a long time to inform those affected.

According to BBC News:

Questions are being asked about why Blackbaud took weeks to inform its customers of the hack.


Under General Data Protection Regulation (GDPR), companies must report a significant breach to data authorities within 72 hours of learning of an incident – or face potential fines.


The UK’s Information Commissioner’s Office [ICO], as well as the Canadian data authorities, were informed about the breach last weekend – weeks after Blackbaud discovered the hack.

You can read the full article from the BBC here.

How Blackbaud has approached the hack is extremely worrying, especially given how sensitive data was stolen including “phone numbers, donation history and events attended”.

There is no guarantee that the hackers destroyed this data despite the ransom being paid, and the length of time Blackbaud took to deal with this issue has left those affected unable to take steps to prevent themselves.

If you want advice on how to handle these kind of situations and your data protection procedures, get in touch with us today for our expert advice.