Ransomware attack on cloud-services provider affects charities and not-for-profits

July 17, 2020 | Nicole K. D’Aoust, David Krebs

A company that supplies cloud fundraising and accounting software to the charity and not-for-profit sector announced yesterday that it experienced a ransomware attack in May 2020.  Blackbaud is the company behind such programs as Raiser’s Edge NXT, eTapestry, and The Financial Edge. The company’s press release discussing the breach can be found on their website.

Blackbaud’s affected clients should have received a notification with the specific details of what data may have been impacted.  That being said, we are encouraging charities and not-for-profit organizations to verify whether they have used, or are currently using, any Blackbaud software and to contact Blackbaud for confirmation regardless of whether or not they received a notification.

If your organization was affected, you should take the following steps : 1) understand the contents of the notification and obtain clarification from Blackbaud if you do not; 2) understand the nature of the information at issue, whether any personal information was at risk, and assess your organization’s legal requirements as an entity “in control” of the information that was breached; and 3) assess whether your organization has a legal or other obligation to notify any individuals, including donors, or other affected individuals of the breach.

Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.

Moreover, regardless of the type of software your organization uses, charities and not-for-profits must ensure they have their own internal policies and practices to safeguard against cybersecurity incidents and take steps to inquire with their service providers how they protect data.

If your organization was affected, or your organization was not affected but would like to ensure it is better protected, we can assist.  Please reach out to the authors or any member of our Social Impact or Privacy, Cybersecurity, and Technology Law teams.  More information about our teams can be found on Miller Thomson LLP’s website.


This publication is provided as an information service and may include items reported from other sources. We do not warrant its accuracy. This information is not meant as legal opinion or advice.

Miller Thomson LLP uses your contact information to send you information electronically on legal topics, seminars, and firm events that may be of interest to you. If you have any questions about our information practices or obligations under Canada’s anti-spam laws, please contact us at privacy@millerthomson.com.

© Miller Thomson LLP. This publication may be reproduced and distributed in its entirety provided no alterations are made to the form or content. Any other form of reproduction or distribution requires the prior written consent of Miller Thomson LLP which may be requested by contacting newsletters@millerthomson.com.