In July 2020, a single ransomware incident at a fundraising-software vendor reshaped how the nonprofit sector thinks about donor data. Blackbaud – at the time the dominant CRM and donor-management platform across higher education, hospitals, religious organizations, and humanitarian charities – disclosed that attackers had exfiltrated customer data months earlier. By the time the dust settled, more than 13,000 nonprofit, healthcare, and educational institutions had been affected. Public settlements eventually reached $49.5 million to a coalition of 49 state attorneys general, $6.75 million to California separately, and $3 million to the SEC.
Six years on, “Blackbaud” has become shorthand for a specific kind of nonprofit board-level liability: the moment a third-party SaaS vendor mishandles your donor data and you discover, mid-deposition, that you have no idea what was exposed, when, or to whom.
This post isn’t a recap of the breach – that ground has been covered. It’s a practical stewardship playbook for nonprofit leaders – boards, executive directors, CFOs, IT leads – about what should be different in 2026, and why most organizations still haven’t made the change.
What the Breach Actually Taught Us
Three lessons from Blackbaud have aged into uncomfortable truths:
1. The vendor’s “we deleted it” claim isn’t worth much. Blackbaud paid the ransom and accepted the attackers’ assurance that the exfiltrated data had been destroyed. That assurance was, predictably, worthless – but customers had already been told it was fine. Your incident-response posture cannot depend on a criminal’s promise.
2. Notification timelines stretched into the absurd. Many affected nonprofits didn’t notify donors for months. By that point, donor trust – the actual asset – was already eroded by news coverage, and the legal exposure under state breach-notification laws had compounded.
3. The biggest cost wasn’t the settlement. It was the discovery, during litigation, that organizations could not produce a forensic record of who had touched donor data, when, or under what authorization. The audit trail simply didn’t exist in a defensible form.
Why Nonprofits Are Disproportionately Targeted
The threat landscape has gotten worse, not better, since Blackbaud. According to Microsoft’s Digital Defense Report 2024, nonprofits are the fourth-most-targeted sector by nation-state actors. Okta’s 2025 Nonprofits at Work report places them at #2 overall. Cloudflare’s Project Galileo measured a 241% increase in DDoS attacks against civil-society organizations between 2024 and 2025.
The reasons are structural, not coincidental:
- Rich PII, weak controls. Donor records, beneficiary case files, immigration status, child-sponsorship details, abuse-survivor data – nonprofit databases hold information that’s high-value on dark markets and difficult to replace if exposed.
- Lean IT teams. The median U.S. nonprofit IT team is one to three people, often without dedicated security leadership.
- Vendor sprawl. A typical mid-sized nonprofit runs thirty or more SaaS tools, each one a potential breach vector.
- Mission urgency over governance discipline. Boards focus on impact, not on documentary evidence trails.
The result: roughly 60% of nonprofits surveyed have suffered a successful cyber incident in the past two years, attacks on the sector are rising 30% year over year, and the average global cost of a data breach has crossed $4.4 million. Nonprofit margins do not absorb $4.4 million well.
The Question Most Boards Should Be Asking
In post-Blackbaud reviews across faith-based relief organizations, foundations, and large 501(c)(3)s, the executive question that actually matters is rarely “Which third-party VDR or CRM should we trust next?“
It’s: “Why is our donor data outside our security boundary in the first place?”
For organizations already running Microsoft 365 – which is most of them, given Microsoft’s nonprofit licensing program – donor financials, board materials, beneficiary case files, and audit-committee documents are sitting in third-party clouds that the organization has no direct visibility into, no audit-log access for, and no breach-notification timeline control over. Each one is a Blackbaud waiting to happen.
This isn’t an argument against using a CRM. Donor management workflows are real and valuable. It’s an argument for keeping the sensitive document layer – the financials, the wealth screens, the case files, the board packs – inside the security boundary your IT team already governs, while the CRM continues to handle the relationship layer.
Four Pillars of Modern Donor Data Stewardship
Whatever software you choose, any defensible donor-data posture in 2026 needs these four capabilities. They’re not features; they’re outcomes you must be able to demonstrate to a state AG.
1. Identity-Bound Access, Not Link-Based Sharing
Email links and “anyone with the link can view” are how data leaks in 2026. Every access event needs to be tied to a verified identity, with conditional access policies (location, device, MFA) applied at the session level. If you cannot answer “exactly who saw this file, from what device, on what date” with a name and a timestamp, your access control is not defensible.
2. Persistent File Protection That Travels With the Document
Sensitivity labels – via Microsoft Purview or equivalent – need to ride with the file even after it leaves your tenant. A donor-financials PDF emailed to outside counsel should remain encrypted, identity-gated, and revocable from your end. Without persistent rights management, you are trusting recipients to manage your data correctly. They will not.
3. Evidence-Grade Audit, Not Marketing Reports
The Blackbaud lawsuits made one thing clear: in litigation, “we have a dashboard that shows access” is not the same as a forensically retainable, time-stamped, identity-tied unified audit log. The first is a marketing artifact; the second is admissible evidence. Boards should ask the IT team specifically which one they have. The Microsoft Unified Audit Log is the second; almost nothing else in the nonprofit SaaS stack qualifies.
4. Clean Close-Out
When a capital campaign concludes, when an investigation ends, when a grant cycle closes – materials need to retain on policy and the relevant access has to terminate cleanly, with a defensible record set preserved. “We just left the SharePoint site up” is the dominant practice; it is also the dominant audit finding.
Why Microsoft 365-Native Architecture Matters Here
A Microsoft 365 tenant out of the box is not a virtual data room. But it is the substrate from which one can be built – and most nonprofits already pay for the components.
- Entra ID provides the identity fabric: who you are, what conditions apply, every session.
- Purview provides the information-protection fabric: sensitivity labels, retention policies, classification.
- Unified Audit Log provides the evidentiary fabric: every meaningful action across SharePoint, Teams, OneDrive, Exchange.
What’s missing in raw Microsoft 365 is the operating discipline – the room provisioning, template enforcement, defensible offboarding, and matter-level reporting that turns those underlying capabilities into something a CFO or general counsel can defend in court. That’s the layer Govern 365 provides, and it’s why a Microsoft-native VDR posture is structurally different from running another third-party SaaS alongside your CRM.
The strategic implication: if you’re already paying for Microsoft 365 – and you almost certainly are, via the Microsoft Tech for Social Impact program – every additional third-party cloud you stand up is a marginal increase in your breach surface for no marginal increase in capability.
A Practical Stewardship Checklist
For boards and IT leaders auditing your current posture, six questions to ask before your next board meeting:
- Where does our donor data physically reside today? Specifically: which vendor clouds, in which geographies, under which data-processing agreements.
- Who has access, and how do we know? Pull the access logs for your top three sensitive datasets right now. Can your IT team produce them in under an hour?
- What’s our breach-notification timeline? From vendor disclosure to donor notification – how many days, governed by which contractual clause?
- What’s our incident-response plan? A documented one, tested in the last twelve months, with named owners.
- Can we forensically reconstruct who accessed what? Not “can we generate a report” – can we produce litigation-grade evidence?
- What’s our close-out discipline? When a campaign or matter ends, what happens to the data, on what schedule, with what record preservation?
If most of these answers are “we’d have to ask the vendor” or “we don’t know,” you have a pre-Blackbaud posture in a post-Blackbaud world.
The Stewardship Bottom Line
Donor data isn’t just records. It’s the documentary expression of trust between your organization and the people who chose to fund your mission. Stewarding that trust well in 2026 means not outsourcing the security of it to vendors whose first instinct, when something goes wrong, is to pay the ransom and tell you the data was probably deleted.
The technology to keep this data inside your own security boundary already exists – and you’re probably already paying for it. The change required is organizational, not budgetary: it’s the decision to treat donor records the way a hospital treats patient records, the way a law firm treats privileged communications, and the way a bank treats account data. As assets that don’t leave the building.
For nonprofits that already run on Microsoft 365, that change is closer to your reach than you may realize.
Want to see how a Microsoft 365-native VDR keeps donor data, beneficiary records, and board materials inside your own tenant?
Frequently Asked Questions
The Blackbaud breach was a ransomware attack on cloud fundraising-software vendor Blackbaud, disclosed in July 2020. Attackers exfiltrated customer data – including donor records, financial information, and constituent files – from approximately 13,000 nonprofit, healthcare, and educational customers. Blackbaud paid the ransom and accepted the attackers’ assurance that the data had been destroyed.
Public settlements include $49.5 million to a coalition of 49 state attorneys general, $6.75 million to California separately, and $3 million to the SEC. Individual class actions and breach-notification costs added significantly more. The total cost to Blackbaud’s customers – in remediation, notification, and reputational damage – has never been fully quantified.
Yes, and at a higher rate than in 2020. Cloudflare’s Project Galileo measured a 241% increase in attacks on civil-society organizations between 2024 and 2025. Microsoft’s Digital Defense Report 2024 places nonprofits as the fourth-most-targeted sector by nation-state actors. The structural conditions that made Blackbaud-class events possible – heavy reliance on third-party SaaS for sensitive data, lean nonprofit IT teams, weak vendor-side audit transparency – have not improved.
No. A Microsoft 365 tenant out of the box is the substrate, not the solution. To deliver virtual-data-room-grade outcomes – identity-bound access, persistent protection, evidence-grade audit, and clean close-out – you need an operating discipline on top: room provisioning from templates, sensitivity-label enforcement, unified audit log queries scoped to specific matters, and defensible offboarding. Govern 365 provides that operating layer inside the Microsoft 365 boundary.
Donor management software (Bloomerang, DonorPerfect, Salesforce NPC, Blackbaud) handles the relationship layer: contact records, gift history, communication preferences, pipeline management. Donor data security is about the document layer: where the wealth screens, audited financials, capital-campaign decks, major-gift correspondence, and board-committee files live, and who can access them under what conditions. Most nonprofits conflate the two, and most data breaches happen in the document layer that almost no one is governing.
Retention should be governed by policy, not accident. Best practice for U.S. 501(c)(3)s is to align retention with IRS substantiation requirements (generally seven years for documents supporting deductions), state-specific charitable-solicitation rules, donor-restriction durations, and litigation-hold obligations. The critical point is that retention should be policy-driven and defensibly applied – not the result of “we just never deleted any of it.”
