But an OAIC spokesperson did not go into any detail about what inquiries were made and when the organisation expected to hear back from Blackbaud.
"We can confirm we have made inquiries with Blackbaud and those inquiries are continuing," the spokesperson said in response to an inquiry.
"We expect any organisation responding to a data breach involving personal information to act quickly to contain the incident and assess the potential impact on those affected."
Blackbaud initially said the attackers had no access to customer data in July when it said it had paid the ransom, but then did a backflip in October, saying that customer data has indeed been accessed.
The company reported revenue of US$900,423 (A$1.28 billion) in 2019.
A number of class actions have been filed against Blackbaud in the US and Canada. The company has operations in the UK and Australia as well.
Blackbaud, which describes itself as the world’s leading cloud software company powering social good, said in July that data had been stolen from its servers in May, with those responsible using PowerShell scripts as is the usual practice.
"If it's likely to result in serious harm, and the organisation is covered by the Privacy Act, they must notify the people who are affected and the OAIC as quickly as possible," the OAIC spokesperson said.
"Organisations need to be proactive in protecting personal information and preventing these breaches, including supporting employees with better training, processes and technology. They should also be prepared and have a data breach response plan ready to go."