I even doubt they involved all affected schools in their announcements. We were not announced even though we had a ticket regarding Official Notes getting published to all faculty!

To echo Jeanne, when a school is unaffected, but then learns about an ongoing issue from someone who was affected (who may have been officially notified), it creates panic.

The responsible thing to do is to reach out to all users of the platform when an incident is detected. If BB knows who is impacted and who is not, share that in the notification. I often hear from vendors that they know of an issue affecting a subset of users and are still trying to narrow down that universe, and then get an update shortly thereafter letting me know whether or not I'm in that universe.

I agree that they seem to be taking this lightly. To me, I think this is just as severe as the Blackbaud incident regarding financial data being exposed. I get money and people's finances are a HUGE thing but the right to privacy of student grades, infraction notices, info important for a student record is vitally important and demands the utmost secure treatment (just as much as financial records). The trust families have in the schools to keep this information secure is enormous. When info like this is exposed, the families aren't going to ask for Blackbaud's head on a platter!

The worst part was that support didn't even seem to know about the issue. We were notified by a parent and a student along with the BB listserv for Registrars. When we reached out to support, they had no idea about the issue. This is a breakdown of their Quality Assurance, Support, Data Security and Client Services. How is it that they don't have protocols in place to handle these scenarios? Lastly, they have not yet issued a statement to say how they will mitigate these types of issues going forward. It appears they are not taking this seriously, at all.

Even when all schools are not affected by an issue, it would be very helpful to know that there is an active issue, and to have steps we can take to quickly determine if our school is affected.

I believe this is covered by the FTC's data breach notification Order which requires covered entities to notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach, eliminating the Rules' previous seven-day waiting period before customers could be notified.

Was $49.5M not enough after the last breach, Blackbaud?