News & Events

Back to articles

Not For Profit

Charities and not-for-profits are hacked because of the Blackbaud ransomware attack

11th August 2020

Dozens of charities, universities and not-for-profit organisations in the UK, US and Canada have fallen victim to a high level cyber-attack. Their vulnerability to the attack was a result of their software supplier Blackbaud (the world’s largest provider of education administration, fundraising, and financial management software) being held to ransom by hackers in May.

Although Blackbaud has not yet revealed just how major the breach was, they have been widely criticised for not taking action quickly enough to warn their clients their data had been compromised.

The stolen data includes names, phone numbers and donation and event attendance histories but thankfully their credit card and other payment details do not appear to have been taken. Blackbaud have also been quick to underline their popular fundraising platform JustGiving was not affected by the hack.

In a statement Blackbaud told the press that they had “discovered and stopped a ransomware attack” in May 2020 but “the majority of our customers were not part of this incident”. They then admitted the hackers had “removed a copy of a subset of data from our self-hosted environment” and had been told that data would be destroyed if they paid the ransom. Blackbaud confirmed the ransom had been paid but is still unclear as to whether the criminals have kept their word.

However, even though Blackbaud has apologised publicly and contacted all of the affected parties, questions are rightfully being asked why it has taken them almost two months to admit the breach.  The time lag is particularly pertinent given the General Data Protection Regulation (GDPR) states any company must report any breach within 72 hours or face heavy fines.

This incident unfortunately illustrates a worrying trend in the charity world. According to a recent study published by the Department for Digital, Culture, Media and Sport almost a quarter of our charities were hit by some form of cyber-attack during 2019, a rise of nearly 5% on the previous year.

The study also reported that higher income charities were more likely to be attacked as 57% of charities with annual incomes of £500,000 or more had been targeted during the previous 12 months.

Although preventing cyber-attacks is a specialist field here are 4 preventative steps we’d recommend every charity takes:

  1. Keep your protection software up to date

Criminals keep up to date and will exploit any cracks left by the latest software updates.

  1. Keep your staff up to date 

Make sure your staff know about current threats and the latest scams and give them practical tips that will help them avoid them.

  1. Implement an easy-to-use reporting process

If your staff has any concerns you need to make sure reporting them is as quick, easy and effective as possible so you can act immediately.

  1. Only use strong passwords

And change your strong passwords (passwords with more than 12 characters and includes numbers, symbols and a mix of capitals lower-case letters) regularly and make sure they are stored and shared safely.

If you have questions regarding any aspect of your charities financials or accounts (or would like our suggestions as to who you could speak to if data security is a concern) please email or call Robert on 0116 282 7000.


Registered to carry on audit work in the UK; regulated for a range of investment business activities; and licensed to carry out the reserved legal activity of non-contentious probate in England and Wales by the Institute of Chartered Accountants in England and Wales.  Associate Directors of the firm are not Directors of The Rowleys Partnership Limited (registered no. 06125028) and are not subject to the obligations and responsibilities of Directors within Part 10 of the Companies Act 2006.  Any reference to an individual with the job title “Partner” refers to someone who is a Director of The Rowleys Partnership Limited and also a registered member of Rowleys Group LLP (registered no. OC306056)  A list of Directors and Members are available at Companies House. Details of our audit registration can be viewed at and details of our probate registration can be viewed at, both under reference number C001486455. View our Legal and Privacy PolicyView our Terms of Business