A third-party service provider to the Iowa State University Foundation experienced a massive ransomware attack, affecting more than 20 universities and nonprofits in the U.S., the U.K. and Canada. Blackbaud, an international provider of cloud-based fundraising and finance services, notified the ISU Foundation on July 16 that a data breach between Feb. 7 and May 20 may have accessed or removed donor information stored by the ISU Foundation, including names, dates of birth, addresses, phone numbers and donor history with the foundation. The foundation does not store Social Security numbers or bank/credit or debit information for donors, meaning that data is not at risk for donors, the ISU Foundation said in an announcement. Blackbaud confirmed it paid an undisclosed ransom amount to have the cybercriminal and third-party experts confirm the data was destroyed; the ISU Foundation launched an internal investigation that included Blackbaud to “understand why there was a delay between it finding the breach and notifying us,” the foundation’s FAQ states. The foundation also reported it is “evaluating the scope of our relationship with Blackbaud going forward.” Blackbaud is being criticized internationally for taking weeks to inform customers of the hack, including U.K. customers protected under the General Data Protection Regulation, which requires companies to report a significant breach of data to authorities within 72 hours of identifying an incident, the BBC reports. In the U.S., five universities and three nonprofits, including the Human Rights Watch, were also affected.