Blackbaud GDPR Data Breach Compensation Claims Guide – How To Claim?

My Data Privacy Was Breached By Blackbaud Data Breach, Could I Claim Compensation?

Have you fallen victim to the Blackbaud data breach? Has the exposure of your personal data affected you financially or caused distress, depression or anxiety? If so, you could be eligible to make a data breach claim against the organisation that exposed your data.

Many people’s personal data was breached in the Blackbaud hack, when a ransomware attack on the cloud service provider occurred back in May 2020. The breach affected software used by universities, charities, schools and other organisations. But how do you know if you could claim compensation? We’ve created this guide to help you.

Blackbaud data breach compensation claims guide

Blackbaud data breach compensation claims guide

All organisations have a legal responsibility to protect any personal data they collect, store and process. If an organisation breaches your data privacy, this could have a number of unwelcome results. You could become the victim of fraud or identity theft.

In some cases, you could suffer the psychological effects of a data breach, such as loss of sleep or anxiety.

However, the Blackbaud hack has affected you, whether financially or emotionally, you could be eligible for compensation if you can prove the breach and harm caused.

This guide explains how the Blackbaud breach occurred, your legal rights and how to begin a claim with the help of a data breach lawyer. If you have any questions about making a claim, please feel free to call our helpful team.

We could offer you free legal advice, or help you begin a claim by connecting you with a No Win No Fee data breach solicitor. You can reach us on 0161 696 9685.

Select A Section

A Guide On Claiming Compensation For The Blackbaud Data Breach

The Blackbaud data breach caused a large number of people’s personal data to be exposed. Such a data breach could affect victims in a number of different ways. They could suffer financially if someone was able to use exposed data to commit identity fraud or theft. However, they could also be affected mentally, suffering anxiety and loss of sleep due to the breach of their personal data.

But is there anything victims of the Blackbaud hack could do about their personal data being breached? Could they complain to the Information Commissioner’s Office? And could they claim data breach compensation for the harm they’ve suffered?

We have created this guide to answer these questions and give you some information about claiming compensation for a breach of your data.

In the sections below, we offer a wealth of advice on how the Blackbaud incident occurred, and how many people could potentially be affected. We also explain more about your data rights and the role of the Information Commissioner’s Office in upholding those rights.

Further to this, we offer guidance on how to go about making a claim and why choosing a data breach lawyer to help you could be a good idea. Finally, we show you how No Win No Fee claims work, and how we could assist you with finding a lawyer that works under these terms.

What Was The Blackbaud Data Breach?

Organisations that store and process personal data have a legal duty under the General Dara Protection Regulation (GDPR) and the Data Protection Act 2018 to protect that data. Should they fail to do so, and a breach occurs, victims could claim data breach compensation for the material and non-material harm they suffer as a result. But what is personal information, and how did the Blackbaud data breach happen?

Personal Data Explained

The ICO defines personal data as information relating to natural persons that could be used to identify them. This includes information that could identify someone on its own, and information that could be used in combination with other data to identify someone.

Such data could include your contact details, name, e-mail address, IP address, as well as sensitive financial information, such as bank details and medical data, to name a few examples.

What Is A Personal Data Breach?

The ICO defines a data breach as a security incident that causes the loss, destruction, access, or disclosure of data in an unauthorised or unlawful manner. A data breach could be the result of an accident, negligence, or a malicious act.

Examples of data breaches could include:

  • A hacker getting into cloud computing systems and using a bot, malware, a virus, spyware, ransomware or DDoS attacks to breach data
  • Phishing attacks
  • Lack of protection when it comes to cybersecurity, such as the failure to use a firewall, for example
  • The loss of computer equipment that contains personal data
  • Theft of computer equipment
  • E-mails containing personal data being sent to the wrong recipient

The Blackbaud Incident

In May 2020, a cloud database service provider named Blackbaud fell victim to a ransomware attack. Hackers managed to gain access to the developer’s systems and took the personal data of those people who had shared their data with the company.

Blackbaud’s customers included charities, such as the National Trust, and several UK universities. Blackbaud paid an undisclosed sum to the perpetrators of the attack and was confident that they had destroyed the data they stole. However, this breached the personal data of many people.

Personal Data Exposed By The Blackbaud Data Breach

Initially, Blackbaud said that no financial information was exposed on the dark web by the attack. However, they later admitted that the criminals may have accessed payment details and passwords amongst the stolen subset of data, which included:

  • Names
  • Phone numbers
  • Genders
  • E-mail addresses
  • Other personal records, such as achievements and qualifications

If you can prove that you have fallen victim to the Blackbaud data breach and suffered damage as a result, you could be eligible to claim compensation. Here at Legal Helpline, we could connect you with an experienced data breach solicitor from our panel who could assist with your claim.

What Is The Sharing Of Information Without Permission?

The General Data Protection Regulation, or GDPR, is the world’s strictest and most far-reaching data privacy and security law. The UK’s application of GDPR has been enshrined into law in the form of the Data Protection Act 2018.

Under data protection law, data controllers are not authorised to share your personal data without your consent, unless for one of the below ‘valid reasons:

  • Public interest tasks
  • Legal obligations
  • Vital reasons (to save or protect life)
  • Legitimate interests
  • Contract fulfilment

If a data controller shares personal data without consent and for a reason other than those specified above, this could represent a breach of GDPR. Under Sections 168 and 169 of the Data Protection Act 2018, victims of such a breach could claim compensation for distress and other non-material harm, as well as the financial impact of the breach.

Can The ICO Issue Fines?

The Information Commissioner’s Office is the UK’s independent body responsible for enforcing data protection law, namely:

  • Freedom of Information Act
  • INSPIRE Regulations
  • Privacy and Electronic Communications Regulations (PECR)
  • The re-use of Public Sector Information Regulations

Does The ICO Enforce GDPR?

Yes, the ICO can enforce GDPR in the UK. It can investigate breaches of GDPR and if necessary, could take enforcement action such as issuing financial penalties.

Examples of ICO Fines

In 2019, the ICO found a UK company, Bounty, in breach of the first data protection principle of the DPA. It issued the company with a fine of £400,000. An investigation by the ICO found that Bounty had processed the personal data of more than 14 million people without their consent.

The ICO has also fined organisations that have failed to pay the data protection fee to the ICO.

Calculating Blackbaud Data Breach Compensation Amounts

Those who suffer financial or mental damage as the result of a data breach could, under Section 168 and 169 of the Data Protection Act 2018, receive compensation for the damage they suffer.

In a case from 2015, a legal precedent was set that changed the previous legal position. In the past, financial damage was required to claim compensation for mental distress. The case in question was Vidal-Hall and others v Google Inc [2015], and in it, the Court of Appeal held that compensation could be sought for either form of damage, without the need for financial harm. This means that the victims of a data breach that lose sleep, suffer anxiety, distress or stress as the result of a data breach could receive compensation for their injuries.

How To Calculate Data Breach Claims

In order to work out an appropriate level of compensation for a data breach claim, a solicitor would need to review all the evidence. Assessing financial harm may mean reviewing bank statements and credit card statements.

However, calculating compensation for psychological injuries could be a little more complex. As there is no definitive price tag for a psychological injury, the claimant must obtain a medical report detailing their injuries and prognosis. The report must come from an independent expert, who the claimant would visit as part of their claim. And the findings contained in that report would be used to both prove the causally-related harm as well as help value your injuries.

To come to a valuation, lawyers turn to a publication called the Judicial College Guidelines, to arrive at an appropriate settlement amount. We have produced a table containing guideline payout amounts from this publication to give you some insight into potential compensation amounts.

Type of InjuriesJCG Bracket for CompensationHow Severe?
General psychological damage£51,460 to £108,620Severe
PTSD (A Post-traumatic stress condition)£56,180 to £94,470Severe
PTSD (A Post-traumatic stress condition)£21,730 to £56,180Moderately severe
General psychological damage£17,900 to £51,460Moderately severe
General psychological damage£5,500 to £17,900Moderate
PTSD (A Post-traumatic stress condition)£7,680 to £21,730Moderate
General psychological damageUp to £5,500Less severe
PTSD (A Post-traumatic stress condition)Up to £7,680Less severe

For a more precise estimate of your compensation award, please get in touch with our team.

Types Of Data Breach Compensation Which May Be Awarded

We already know that victims of a data breach could claim for non-material (psychological) and material harm (financial), but what could this encompass?

  • Non-Material Harm – If you’ve suffered emotionally because of the Blackbaud data breach, this may have caused you to experience loss of sleep, anxiety and distress. But these are not the only non-material damages you could suffer in a data breach case. If sensitive information is exposed in a data breach, this could cause reputational damage in some cases, perhaps leading to discrimination against you.
  • Material Harm – If your bank account details or other financial information has been breached, this could cost you financially. You could become the victim of fraud, identity theft or you could even have your bank accounts drained. You could include financial damages in a data breach claim.

How To Report The Blackbaud Data Breach To The ICO

Do you have proof that you’ve been harmed by the Blackbaud data breach, either emotionally, financially or both? If you do, you should, as per the ICO’s guidance, contact the organisation that breached your data.

You should put your complaint in writing and include the details of what you believe has happened and how it has affected you. If the response you receive is not satisfactory, you could go on to escalate the breach to the ICO. The ICO breach register may already contain details of the Blackbaud hack, but if you believe the organisation aren’t taking your complaint seriously, you could still report it to the ICO.

If you choose not to complain to the ICO, this doesn’t mean you could not claim data breach compensation. Should three months have passed since you’ve had any meaningful contact with the organisation that breached your data, you could look for a data breach solicitor. They could help you claim the compensation you deserve.

No Win No Fee Claims For The Blackbaud Data Breach

If you’d like free legal advice in relation to the Blackbaud data breach, you may be looking to have a data breach solicitor help you. If you are, you might be pleased to find out that a No Win No Fee solicitor doesn’t require any funds upfront to get started. Better still, you would not need to pay your lawyer any legal fees at all if they didn’t obtain a settlement for you.

How Do No Win No Fee Claims Work?

  • Initially, your solicitor would send you a No Win No Fee Agreement. This document would detail the ‘success fee’ you’d need to pay the data breach solicitor out of your compensation. This is a small, legally capped percentage of your total payout.
  • When you sign and send back the agreement, your lawyer would be able to begin your claim. They would put together all the relevant information and evidence and put the case to the organisation. They would then negotiate a settlement on your behalf.
  • If the liable party (or their insurer) pays you compensation, your lawyer would take out the success fee, leaving the balance for your benefit. If there is no compensation arrangement, you wouldn’t pay your solicitor the success fee, nor would you have to pay any of their legal costs.

If you’d like to known more about No Win No Fee claims in relation to the Blackbaud data breach, why not take a look at our guide, or give us a call to discuss this.

How A Specialist Data Breach Lawyer Could Help You

We should clarify that you do not have to use a data breach lawyer to assist with a Blackbaud data breach claim. However, many people choose to do so. A data breach solicitor could:

  • Ensure you have a strong case for compensation
  • Take away some of the stress of completing legal paperwork
  • Make sure you claim for everything you’d be eligible for
  • Negotiate the maximum settlement possible for your claim

How To Find Your Lawyer

A simple web search for a data breach solicitor could bring up a whole host of results. So how do you work out which law firm or lawyer would suit your needs?

You could ask friends or relatives for advice, or read reviews left by previous claimants. Or you could call Legal Helpline for advice and support in finding the right data breach lawyer for you. We could give you lots of information on the data breach solicitors we could connect you with from our panel, which could give you all the information you need to make the right decision for you.

What Should I Do If Affected By A Data Breach?

We have previously mentioned that victims of the Blackbaud data breach could report their concerns directly with the organisation. If you’re wondering what to include in a data breach report, the following could be useful:

  • Details of who you are so the organisation could identify you. This could include an account number, as well as your name and contact details, for example.
  • How you believe the breach happened
  • The effects of the data breach on you (financially and emotionally)
  • A timeframe for the organisation to respond to your complaint

If you’ve not received a satisfactory response, you could escalate your concerns to the ICO. Whether you do or do not escalate your concerns to the ICO, you could look for a data breach lawyer to help you get the compensation you deserve. Here at Legal Helpline, we’d be happy to connect you with such a lawyer.

Contact A Data Breach Specialist

If you’re looking for more advice on the Blackbaud data breach and the effects it has had on you, we could help. We’d be glad to talk to you about your experience and assess your eligibility to claim. We could even connect you with a No Win No Fee data breach lawyer from our panel to get started with your claim. You can contact us:

Blackbaud Data Breach FAQs

How Long Does It Take To Recover From A Data Breach?

Companies take, on average, 197 days to identify data breaches. In addition to this, they take, on average, a further 69 days to contain such a breach.


What Type Of Cyberattack Occurred?

The Blackbaud data breach involved a ransomware attack. This is a type of cyber attack where perpetrators hold data for ransom. The perpetrator would usually ask for a monetary ‘reward’ for the safe disposal/destruction of stolen data.

What Data Systems Were Involved?

The Blackbaud hack affected persons connected with organisations including:

  • A number of Oxbridge colleges
  • Action on Addiction
  • Breast Cancer Now
  • Maccabi GB
  • Several private schools
  • Sue Ryder
  • The Choir with No Name
  • The National Trust
  • The Wallich
  • Universities including Birmingham, Brunel, East Anglia, Exeter, Heriot-Watt, Leeds, London, Northampton, Reading, Staffordshire, Sussex and West London as well as others
  • Urology Foundation


What Data Could Have Been Leaked On The Darkweb?

The data that the hacker may have put on the dark web could include:

  • Addresses
  • Dates of birth
  • Donation history
  • Email addresses
  • Events that individuals attended
  • Names
  • Phone numbers

If you believe your data has been compromised, please speak to our team. We’d be happy to help you see if you could be eligible for compensation.

Where To Learn More

Employer Data Breach Victims – This guide offers guidance on claiming against an employer for a data breach.

Pharmacist Breached My Data – If a pharmacy has breached your personal data, you may find this guide of interest.

Medical Breaches – Medical records could contain very sensitive data. If someone breaches this data, you could be eligible for compensation.

GDPR – You can read the GDPR in full by clicking here.

Raising A Data Related Complaint – If you want to complain about how your data is being used, this could help.

Government Guide To Data Protection – Here, you can find government guidance on how organisations can and cannot use data.

Thank you for reading our guide to the Blackbaud data breach.


Guide by JJ

Edited by REB