Blackbaud A.I CyberSecurity Scoring
Blackbaud
Company Information
Website:http://www.blackbaud.com
Employees number:3,125
Number of followers:123,245
NAICS:5112
Industry Type:Software Development
Homepage:blackbaud.com
Blackbaud Risk Score (AI oriented)
Between 650 and 699
BlackbaudSoftware Development
Updated:
23/04/2026
23/04/2026
653/1000
Weak
B
Blackbaud Global Score (TPRM)
xxxx
BlackbaudSoftware Development
Score locked

BlackbaudWeak
Current Score
653B (WEAK)
01000
3 incidents
-63 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
654
JUNE 2026
652
MAY 2026
652
APRIL 2026
716
Breach
22 Apr 2026 • Blackbaud
Barracuda Networks, Inc., Zoll Medical Corporation, Blackbaud and Inc.: Legal Analysis: Insurer Subrogation Rights Under Scrutiny
Court Rulings on Subrogation Rights in Cybersecurity Breaches: Axis v. Barracuda and Travelers v. Blackbaud
653
CRITICAL-63
BLABARZOL1776911191
Court Rulings Shape Subrogation Rights in Cybersecurity Breaches: Key Cases Define Vendor Liability
Two recent court decisions Axis Insurance Company v. Barracuda Networks, Inc. (2025) and Travelers Casualty and Surety Company of America v. Blackbaud, Inc. (2026) have clarified the limits of insurers’ subrogation rights against vendors following data breaches, with outcomes hinging on contractual relationships and legal standing.
### Axis v. Barracuda: No Privity, No Subrogation
In Axis v. Barracuda, the U.S. First Circuit Court of Appeals ruled on November 20, 2025, that insurer Axis could not pursue subrogation against Barracuda Networks after a breach exposed Zoll Medical Corporation’s customer data. The case stemmed from a 2023 incident where Barracuda’s email archiving service, used by Zoll’s vendor Fusion LLC, was compromised. Zoll settled a class-action lawsuit from affected customers and sought recovery from Fusion and Barracuda.
The court rejected Axis’s equitable indemnification claim, finding no direct or vicarious contractual relationship between Zoll and Barracuda only a chain of independent contracts (Zoll-Fusion, Fusion-Barracuda). Without privity, the court ruled that equitable indemnification, a narrow remedy, could not reallocate risk post-breach. The First Circuit also dismissed Axis’s breach-of-contract claim, affirming that Fusion failed to meet a contractual condition precedent (a liability-limiting provision) and that Barracuda’s lack of audit obligations did not waive this defense. Similarly, Axis’s claim for breach of the covenant of good faith failed, as Fusion had not negotiated protections for breach scenarios.
### Travelers v. Blackbaud: Direct Contracts Enable Subrogation
In contrast, the Delaware Supreme Court ruled on February 13, 2026, in Travelers v. Blackbaud that insurers could proceed with subrogation claims against the software provider. Blackbaud, which provided donor management services to nonprofits, suffered a 2020 ransomware attack but offered clients only a self-remediation "toolkit" instead of direct support. Insurers, including Travelers, covered their policyholders’ incident response costs (legal fees, notifications, credit monitoring) and sued Blackbaud for recovery.
The lower court dismissed the case, citing insufficiently pleaded aggregate claims under New York law. However, the Delaware Supreme Court overturned the decision, finding that the insurers had adequately alleged breach of contract. Unlike Axis, the insureds had direct contracts with Blackbaud, giving insurers standing to pursue subrogation. The court emphasized that Blackbaud could address individual claims through discovery, and that foreseeable breach-related costs (e.g., remediation expenses) constituted recoverable damages.
### Key Takeaways: Contracts Determine Liability
The rulings underscore a critical distinction: subrogation claims against vendors require a direct contractual relationship between the insured and the breached party. In Axis, the lack of privity doomed the claim, while Travelers succeeded because the insureds’ contracts with Blackbaud established clear liability pathways. Both decisions reinforce that:
- Equitable indemnification is unavailable without a direct or derivative contractual link.
- Breach-of-contract claims hinge on compliance with contractual terms, including conditions precedent.
- Aggregate subrogation may proceed if insurers plead sufficient facts, as seen in Travelers.
The cases signal that cyber insurers and policyholders must scrutinize vendor contracts for liability clauses, indemnification rights, and subrogation waivers to mitigate exposure in breach scenarios.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
MARCH 2026
715
FEBRUARY 2026
714
JANUARY 2026
713
DECEMBER 2025
718
NOVEMBER 2025
711
OCTOBER 2025
710
SEPTEMBER 2025
709
AUGUST 2025
708
MAY 2020
658
Breach
01 May 2020 • Blackbaud
Emma Willard School
Emma Willard School Data Breach (2020)
583
CRITICAL-75
BLA256082125
On May 14, 2020, Emma Willard School suffered a data breach caused by an external hacking incident. The breach exposed Social Security numbers (SSNs) of 2,273 individuals, including 16 Maine residents, potentially leading to identity theft risks. The school took nearly five months to notify affected individuals, sending letters on October 28, 2020, and offered 24 months of identity theft protection services as a remedial measure. The compromised data—primarily SSNs—poses a long-term risk of financial fraud, unauthorized account openings, and other identity-related crimes. The delay in disclosure may have further exacerbated vulnerabilities for the victims. The breach highlights systemic weaknesses in the institution’s cybersecurity defenses, particularly in safeguarding highly sensitive personal identifiers from external threats.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
FEBRUARY 2020
760
Ransomware
07 Feb 2020 • Blackbaud
Blackbaud, Inc.
Maryknoll School Data Breach
652
CRITICAL-108
BLA551072625
The Hawaii Attorney General's Office reported that Maryknoll School experienced a data breach involving Blackbaud, Inc. on July 16, 2020. The breach, which was a ransomware attack, occurred between February 7, 2020 and May 20, 2020, affecting personal information of 2 individuals, including names and Social Security numbers. Maryknoll School began mailing notification letters to the affected individuals on March 24, 2021.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Blackbaud ??
What was Blackbaud's A.I Rankiteo Cyber Score in June 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in May 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in April 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in March 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in February 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in January 2026 ??
What was Blackbaud's A.I Rankiteo Cyber Score in December 2025 ??
What was Blackbaud's A.I Rankiteo Cyber Score in November 2025 ??
What was Blackbaud's A.I Rankiteo Cyber Score in October 2025 ??
What was Blackbaud's A.I Rankiteo Cyber Score in September 2025 ??
What was Blackbaud's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Blackbaud's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Blackbaud ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Blackbaud's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?