School Districts Unaware BoardDocs Software Published Their Private Files

BoardDocs, a software tool used by thousands of school boards to track meeting minutes and store confidential information, has suffered a data breach affecting districts nationally, The 74 has learned. Records at the center of the breach include confidential files protected by attorney-client privilege and other sensitive data that school leaders intended to keep under wraps. 

BoardDocs parent company Diligent Corporation acknowledged Tuesday the breach was national in scope only after reporting by The 74 confirmed its customers across the country were affected. The BoardDocs software, which allows school boards to disseminate agendas and other public documents to their communities while keeping other records private, is used by some 5,000 public sector entities in the U.S. and Canada, primarily public schools. 

The company declined to disclose the number of school districts that were affected after a glitch in its product erroneously published sensitive records to the web, but said only about 1% of documents stored on BoardDocs — or roughly 64,000 files — were exposed.

Company spokesperson Michele Steinmetz told The 74 Diligent began notifying all BoardDocs customers — including those who were not directly affected  — on May 30, the same day The Philadelphia Inquirer published an investigation into a BoardDocs breach affecting the Lower Merion school district. That instance appears to have been uncovered when plaintiffs in a legal case against the district came across privileged files while searching for public ones. 

Multiple additional school districts that contract with BoardDocs, however, said they were unaware of the incident until they were contacted this week by The 74 and, in several instances, received confirmation of the breach from Diligent only after they reached out to the company directly to inquire about whether their own confidential records had been compromised. 

In an interview with The 74, one customer called the glitch “an improper misconfiguration of the vendor’s products.” An option to store records in “a private folder” within the district’s broader public library “could be misleading and people could think, and rightfully so, ‘Anything I put in there is not publicly available,’ when, in fact, it could be accessed by an unauthenticated user.”

The official, who spoke on the condition of anonymity because they weren’t authorized to discuss the BoardDocs situation or draw attention to their district’s cybersecurity practices, said their school system was not “notified proactively” about the fallibility that came to light in Lower Merion.

“It was something that should not have been in place,” the official said. “The vendor should have been more clear and thoughtful and communicative around that configuration and the implications of it.”

Nithya Das, Diligent’s chief legal and chief administrative officer, acknowledged the problem to The 74, saying, “Documents that were supposed to be set to private access were made accessible.”  She declined to elaborate on the misconfiguration but said the company took “immediate action to resolve the issue” once it was discovered. 

She stressed that the confidential records had been made available on the BoardDocs platform only “for a matter of a few months” and existed only on that platform, meaning that someone could not have “gone onto [their] web browser and pulled up Google or Yahoo or something like that” to find them. 

 “I don’t mean to downplay the situation, but I do think it’s important to just keep in mind that it was extremely limited in terms of scope, impact and duration,” Das said. “In order for these documents that were meant to be private to be publicly accessible, you would actually have to go into the BoardDocs application and do a fairly specific search.”

‘How am I reading this?’

It’s likely that some of the documents that may have been exposed would be those dealt with during school boards’ executive sessions, where the law allows them to meet behind closed doors to discuss sensitive or privileged subjects. These include personnel matters and employee disciplinary issues; litigation involving plaintiffs, often parents, alleging wrongdoing; union contract negotiations and pending real estate transactions.

Internal records from executive sessions were made publicly accessible in the Lower Merion breach, according to the school district’s lawyer. A parent who came upon a trove of confidential memos told the Inquirer the discovery felt “weird;”  “I was like, ‘Wait, how am I reading this?’”

Denise Marshall, chief executive officer of the nonprofit Council of Parent Attorneys and Advocates, which works to protect the legal and civil rights of students with disabilities and their families, said the breach was “a great concern” because school boards regularly discuss sensitive issues concerning these children. It’s unclear whether BoardDoc files related to special education services were compromised.

“We know of instances where families have been retaliated against because of information that’s been shared and made public through one means or another from board meetings,” she said. “It’s important that the school boards, and, of course, BoardDocs, take every effort to ensure that privacy is safeguarded.” 

The vulnerability at BoardDocs is the latest example of how school districts’ reliance on third-party technology vendors for critical systems can introduce weaknesses and put sensitive information about students, parents and educators at risk. Last week, 19-year-old Matthew Lane pleaded guilty in Massachusetts federal court for his role in a recent cyberattack on education technology behemoth PowerSchool, which led to a data breach exposing the personal information of millions of students, parents and teachers globally. The PowerSchool cyberattack and subsequent data breach has prompted dozens of lawsuits filed by parents, students and school districts. 

The National School Boards Association, which represents more than 90,000 local school board members, didn’t respond to requests for comment from The 74. On social media in April, the trade group gave a “special shout out to BoardDocs” for their “generous support” of the nonprofit’s 85th anniversary celebration.

BoardDocs doesn’t list its fees on its website. The New York State School Boards Association notes on its site that the tool is available “for as little as $3,000 per year and a one-time $1,000 start-up fee.” 

School cybersecurity expert Doug Levin, co-founder and national director of the nonprofit K12 Security Information eXchange, said the BoardDocs incident is a cautionary tale for both school districts and their vendors. 

“Any reasonable person if, upon selecting a setting to private, would presume that it would not be searchable,” Levin said. “I certainly don’t fault anyone for taking a private setting at face value.”

Not trying ‘to hide the issue here’

After a large urban school district quizzed the company about the news out of Lower Merion, Diligent acknowledged in a notice obtained by The 74 that the district’s private records “could have been returned as part of a public search result if specific search terms were used.”

“Our investigation determined that your organization’s BoardDocs site had documents” in the accessible private folder, MarKeith Allen, Diligent’s chief customer officer, wrote in an email to the district earlier this month. 

The record was provided to The 74 on the condition that the district not be named. 

In addition to a general notification to all its customers, Das, Diligent’s chief legal and chief administrative officer, said that for “customers we believed could have been impacted,”  the company “sent them a different communication, obviously letting them know of that situation.” Das declined to provide copies of those communications to The 74 and said the company is not required to notify impacted individuals under any state-level breach notification laws. 

“We did also have a process of doing some direct outreach to impacted clients like picking up the telephone and calling them, and so I guess I am surprised to hear that there might be clients who weren’t aware of the situation until you reached out,” said Das, who noted the company does not plan to release a public statement about the breach. “The goal was not to try to hide the issue here.”

Amy Buckman, the Lower Merion school district spokesperson, said in a statement that Diligent “admitted there had been an error by their company in protecting confidential documents stored on their site and said immediate corrective action would be taken.” Still, Buckman said the district put Diligent on notice that it “would hold BoardDocs responsible for any damages resulting from the breach.”

This isn’t Diligent’s first time responding to a data breach involving sensitive information. In 2022, the company suffered a cyberattack and subsequent breach involving a tool unrelated to its work with schools, with affected customers including defense contractor Leidos. That incident prompted at least three federal class action lawsuits, which led to court settlements. 

Officials with school districts across the country that contract with BoardDocs, including in Scottsdale, Arizona, and at the Illinois State Board of Education, told The 74 they hadn’t received notices about the incident. 

“At this point in time we have no information on this topic,” Barth Paine, the spokesperson for California’s Fremont Unified School District, wrote to The 74. “Please email us back if you have more details about our specific District. We are now investigating this issue.”

Get stories like these delivered straight to your inbox. Sign up for The 74 Newsletter