A third-party service provider for at least two Iowa nonprofits experienced a massive ransomware attack, affecting more than 20 universities and nonprofits in the U.S., the U.K. and Canada. Blackbaud, an international provider of cloud-based fundraising and finance services, notified the Iowa State University Foundation on July 16 that a data breach between Feb. 7 and May 20 may have accessed or removed donor information stored by the ISU Foundation, including names, dates of birth, addresses, phone numbers and donor history with the foundation. The foundation does not store Social Security numbers or bank/credit or debit information for donors, meaning that data is not at risk for donors, the ISU Foundation said in an announcement

Blackbaud also notified Living History Farms of the breach. In a statement shared by Living History Farms, Blackbaud said “…the cybercriminal did not gain access to bank account information, usernames, passwords, or social security numbers stored in your database because they were encrypted. None of your data was lost or corrupted as a result of this incident.”
Blackbaud confirmed it paid an undisclosed ransom amount to have the cybercriminal and third-party experts confirm the data was destroyed. The ISU Foundation launched an internal investigation that included Blackbaud to “understand why there was a delay between it finding the breach and notifying us,” the foundation’s FAQ states. The foundation also reported it is “evaluating the scope of our relationship with Blackbaud going forward.” Blackbaud is being criticized internationally for taking weeks to inform customers of the hack, including U.K. customers protected under the General Data Protection Regulation, which requires companies to report a significant breach of data to authorities within 72 hours of identifying an incident, the BBC reports. In the U.S., five universities and three more nonprofits, including the Human Rights Watch, were also affected, according to the BBC.