蜜桃影视

BoardDocs, a software tool used by thousands of school boards to track meeting minutes and store confidential information, has suffered a data breach affecting districts nationally, 蜜桃影视 has learned. Records at the center of the breach include confidential files protected by attorney-client privilege and other sensitive data that school leaders intended to keep under wraps. 

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by 蜜桃影视 confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs 鈥� or roughly 64,000 files 鈥� were exposed.

Company spokesperson Michele Steinmetz told 蜜桃影视 Diligent began notifying all BoardDocs customers 鈥� including those who were not directly affected  鈥� on May 30, the same day into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by 蜜桃影视 and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with 蜜桃影视, one customer called the glitch 鈥渁n improper misconfiguration of the vendor’s products.鈥� An option to store records in 鈥渁 private folder鈥� within the district鈥檚 broader public library 鈥渃ould be misleading and people could think, and rightfully so, 鈥楢nything I put in there is not publicly available,鈥� when, in fact, it could be accessed by an unauthenticated user.鈥�

The official, who spoke on the condition of anonymity because they weren鈥檛 authorized to discuss the BoardDocs situation or draw attention to their district鈥檚 cybersecurity practices, said their school system was not 鈥渘otified proactively鈥� about the fallibility that came to light in Lower Merion.

鈥淚t was something that should not have been in place,鈥� the official said. 鈥淭he vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.鈥�

Nithya Das, Diligent鈥檚 chief legal and chief administrative officer, acknowledged the problem to 蜜桃影视, saying, 鈥淒ocuments that were supposed to be set to private access were made accessible.鈥�  She declined to elaborate on the misconfiguration but said the company took 鈥渋mmediate action to resolve the issue鈥� once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only 鈥渇or a matter of a few months鈥� and existed only on that platform, meaning that someone could not have 鈥済one onto [their] web browser and pulled up Google or Yahoo or something like that鈥� to find them. 

 鈥淚 don鈥檛 mean to downplay the situation, but I do think it鈥檚 important to just keep in mind that it was extremely limited in terms of scope, impact and duration,鈥� Das said. 鈥淚n order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.鈥�

鈥楬ow am I reading this?鈥�

It鈥檚 likely that some of the documents that may have been exposed would be those dealt with during school boards鈥� executive sessions, where to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district鈥檚 lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt 鈥渨eird;鈥�  鈥淚 was like, 鈥榃ait, how am I reading this?鈥欌��

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was 鈥渁 great concern鈥� because school boards regularly discuss sensitive issues concerning these children. It鈥檚 unclear whether BoardDoc files related to special education services were compromised.

鈥淲e know of instances where families have been retaliated against because of information that鈥檚 been shared and made public through one means or another from board meetings,鈥� she said. 鈥淚t鈥檚 important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.鈥� 

The vulnerability at BoardDocs is the latest example of how school districts鈥� reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than , didn鈥檛 respond to requests for comment from 蜜桃影视. On , the trade group gave a 鈥渟pecial shout out to BoardDocs鈥� for their 鈥済enerous support鈥� of the nonprofit鈥檚 85th anniversary celebration.

BoardDocs doesn鈥檛 list its fees on its website. The New York State School Boards Association that the tool is available 鈥渇or as little as $3,000 per year and a one-time $1,000 start-up fee.鈥� 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

鈥淎ny reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,鈥� Levin said. 鈥淚 certainly don’t fault anyone for taking a private setting at face value.鈥�

Not trying 鈥榯o hide the issue here鈥�

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by 蜜桃影视 that the district鈥檚 private records 鈥渃ould have been returned as part of a public search result if specific search terms were used.鈥�

鈥淥ur investigation determined that your organization鈥檚 BoardDocs site had documents鈥� in the accessible private folder, MarKeith Allen, Diligent鈥檚 chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to 蜜桃影视 on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent鈥檚 chief legal and chief administrative officer, said that for 鈥渃ustomers we believed could have been impacted,鈥�  the company 鈥渟ent them a different communication, obviously letting them know of that situation.鈥� Das declined to provide copies of those communications to 蜜桃影视 and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

鈥淲e did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,鈥� said Das, who noted the company does not plan to release a public statement about the breach. 鈥淭he goal was not to try to hide the issue here.鈥�

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent 鈥渁dmitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.鈥� Still, Buckman said the district put Diligent on notice that it 鈥渨ould hold BoardDocs responsible for any damages resulting from the breach.鈥�

This isn鈥檛 Diligent鈥檚 first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers . That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told 蜜桃影视 they hadn鈥檛 received notices about the incident. 

鈥淎t this point in time we have no information on this topic,鈥� Barth Paine, the spokesperson for California鈥檚 Fremont Unified School District, wrote to 蜜桃影视. 鈥淧lease email us back if you have more details about our specific District. We are now investigating this issue.鈥�

Did you use this article in your work?

We鈥檇 love to hear how 蜜桃影视鈥檚 reporting is helping educators, researchers, and policymakers.