Thousands of school districts’ confidential files and other sensitive documents could have been publicly accessible for months because of a technical glitch in BoardDocs, a software used to manage school board meetings.
People who were not authorized to access districts’ confidential documents within the BoardDocs application were still able to access them if they searched within the app, said Nithya Das, the general manager of governance and chief legal officer for Diligent Corp., BoardDocs’ parent company.
The glitch was not because of a third-party malicious actor but rather because of a “misconfiguration,” or an issue with the way the application was “coded and architected,” she said in an interview with Education Week.
Das did not disclose how many districts were affected but said only about 1% of documents stored on BoardDocs, or roughly 64,000 files, were involved. BoardDocs is used by about 5,000 public-sector entities in the United States and Canada, mostly public schools.
The glitch adds BoardDocs to the list of K-12 ed-tech companies whose vulnerabilities have put at risk the sensitive information that districts store about students and staff. Most recently, a cyberattack on PowerSchool exposed the personal information of millions of students, parents, and staff and has led to dozens of lawsuits against the ed-tech company.
“School systems rely on their vendors to hold and manage a lot of very sensitive information,” said Doug Levin, a school cybersecurity expert and the national director of the K12 Security Information Exchange. “This [BoardDocs incident] is underscoring that we need our vendors and suppliers to be partners with us with respect to cybersecurity.”
That means K-12 vendors should be doing what they can to prevent an incident. But perhaps more importantly, Levin said, if a cybersecurity incident happens, districts “need to be notified promptly and very clearly.”
BoardDocs launches investigation to determine what happened
BoardDocs is designed to allow districts to publish public documents like meeting agendas, policies, and other documents in a library to comply with open meeting laws and promote civic engagement.
BoardDocs became aware of a “misconfiguration” in the app after a customer told the company of an issue where documents with visibility set to “private,” which were then saved in the public-content section of the app, were accessible through the in-app search, Das said. The company did not disclose the name of the client.
The Philadelphia Inquirer reported on May 30 that the Lower Merion school district was affected by a BoardDocs breach. In that instance, legal counsel representing plaintiffs in a case against the district accessed a confidential document that had been stored in a password-protected section of the application, according to the district.
BoardDocs “immediately” corrected the issue for the customer, then launched an investigation “to better understand the scope of the issue” and “remediated that issue for the other clients who were impacted,” Das said. The company has also undertaken a third-party audit of the entire software to ensure all the “configurations are accurate.”
The issue shows up in a “fairly limited use case,” Das said. “It’s not how most of our clients interact with the product. But it’s our responsibility to make sure that the configuration works as it should.”
BoardDocs has been in the process of notifying its direct clients and partners via email if they were affected or not, Das said.
But Levin criticized the company for not providing information on its website about the issue.
K12 Security Information Exchange members had to ask BoardDocs for information after learning about it from the Inquirer article, “meaning the company did not proactively inform its user base that it had this issue,” he said. The 74 also reported that multiple districts were unaware of the issue.
BoardDocs said, in a statement to Education Week, that it didn’t make a public announcement because it was “a software issue, not a data breach involving malicious third parties and did not impact the entire client population.”
Still, Levin said it “speaks to the cybersecurity culture of the company and may beg a number of questions that BoardDocs customers should be asking of the company the next time they renew their agreements.”
District leaders should think about asking questions about a vendor’s code-review process, Levin said. They should also consider adding language in their contracts with vendors about providing prompt notification of incidents that might have affected the district.
“A school system can’t manage risks if they’re not even aware that there’s potentially an issue here,” he said.
