On 16 July, when it disclosed that it had been hit by ransomware, and paid a ransom as it was unable to block the attack before its data was exfiltrated, though it managed to prevent the encryption taking place, Blackbaud said: "The cyber criminal did not access credit card information, bank account information, or social security numbers."
The firm has now updated the earlier statement to clarify that the attackers did indeed gain access to personal information.
"After 16 July, further forensic investigation found that for some of the notified customers, the cyber criminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords," Blackbaud said.
It tried to play down the severity of the leak, saying, "In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the security incident.
"Customers who we believe are using these fields for such information are being contacted the week of 27 September and are being provided with additional support."
Blackbaud, which reported revenue of US$900,423 (A$1.28 billion) in 2019, has operations in North America including Canada, Europe and the Pacific region. It has hubs in Charleston (South Carolina), Austin (Texas), London and Sydney.
Blackbaud said in its 2019 annual report: "At the end of 2019, we had over 45,000 global customers including non-profits, foundations, companies, education institutions, healthcare organisations and other social good entities.
"There are millions of users of our solutions in more than 100 countries. Our largest single customer accounted for less than 1% of our 2019 consolidated revenue."
It employs 3611 people and on 31 December 2019, Blackbaud had US$634.1 million (A$905.6 million) and US$317.9 million of goodwill and intangible assets respectively. It also had deferred tax assets of US$93.8 million.
It is now common for attackers who use ransomware to hit companies to first exfiltrate the data using PowerShell scripts and then encrypt the victim's data on-site. This gives them two avenues for putting pressure on the victim to pay the ransom.
Brett Callow, threat researcher with the New Zealand-based security firm Emsisoft, said: "Working out what did and did not happen in the aftermath of a ransomware incident requires a forensic investigation that can take weeks to complete.
"To my mind, these incidents should be treated as data breaches from the get-go and customers and business partners [should be] immediately notified so they can take steps to minimise their exposure."