Contact schools immediately/directly when an active broken feature comprises data security

The only way many schools learned of the Official Notes permissions issue on 2/13/23 was from a BB listserve and then a long wait for BB support. Schools should be alerted immediately when they need to adjust settings to protect school data due to a broken feature.

  • Annemarie Merow
  • Feb 14 2024
  • Attach files
  • Guest commented
    23 Feb 10:35pm

    I even doubt they involved all affected schools in their announcements. We were not announced even though we had a ticket regarding Official Notes getting published to all faculty!

  • Jared Hasen-Klein commented
    23 Feb 09:43pm

    To echo Jeanne, when a school is unaffected, but then learns about an ongoing issue from someone who was affected (who may have been officially notified), it creates panic.


    The responsible thing to do is to reach out to all users of the platform when an incident is detected. If BB knows who is impacted and who is not, share that in the notification. I often hear from vendors that they know of an issue affecting a subset of users and are still trying to narrow down that universe, and then get an update shortly thereafter letting me know whether or not I'm in that universe.

  • Sarah Lazar commented
    23 Feb 06:15pm

    I agree that they seem to be taking this lightly. To me, I think this is just as severe as the Blackbaud incident regarding financial data being exposed. I get money and people's finances are a HUGE thing but the right to privacy of student grades, infraction notices, info important for a student record is vitally important and demands the utmost secure treatment (just as much as financial records). The trust families have in the schools to keep this information secure is enormous. When info like this is exposed, the families aren't going to ask for Blackbaud's head on a platter!

  • Rebecca Dallek commented
    23 Feb 05:57pm

    The worst part was that support didn't even seem to know about the issue. We were notified by a parent and a student along with the BB listserv for Registrars. When we reached out to support, they had no idea about the issue. This is a breakdown of their Quality Assurance, Support, Data Security and Client Services. How is it that they don't have protocols in place to handle these scenarios? Lastly, they have not yet issued a statement to say how they will mitigate these types of issues going forward. It appears they are not taking this seriously, at all.

  • Jeanne Townsend commented
    14 Feb 05:41pm

    Even when all schools are not affected by an issue, it would be very helpful to know that there is an active issue, and to have steps we can take to quickly determine if our school is affected.

  • Lisa Fusco commented
    14 Feb 05:18pm

    I believe this is covered by the FTC's data breach notification Order which requires covered entities to notify customers without unreasonable delay after notifying federal agencies and in no case later than thirty days after reasonable determination of a breach, eliminating the Rules' previous seven-day waiting period before customers could be notified.

    Was $49.5M not enough after the last breach, Blackbaud?

  • +52