Official Notes bug made all notes visible to all users?

Brian Hoyt · February 2024

I am hearing from other schools that there was a bug yesterday that allowed all users access to all official notes. Does anyone know more about this? How do we know if we were or are affected?

Coco Parham · February 2024

@Brian Hoyt thats not good! Are you impersonating parents to see if it is true? I jsut impersonated one parent and didnt see anything i just added to their account.

Brian Hoyt · February 2024

@Coco Parham It is possible it has been fixed already. My concern is that it may have affected my school and I don't know. There are some serious privacy issues that may need to be addressed.

Lisa Baylor · February 2024

@Brian Hoyt our school experienced this. The students brought it our attention. They saw a number beside Official Notes on the LMS. When they opened it they saw the list of students who received notes from teachers about grades in Sept/Oct. Our IT team made some changes and when students logged off and back on it was no longer there. Blackbaud was working on it as well. Not sure how it ended up.

David Gillespie · February 2024

@Lisa Baylor The issue was resolved around 10 am, apparently. We also had students (and a parent) bring it to our attention with some screenshots. I removed the ability for students and parents to see (any) Official Notes and that fixed it for most, but anyone who was currently logged in still had the Official Notes button in the upper right, and could still access them, despite having those tasks turned off in their roles. It was very obvious to students - suddenly 2477 official notes appeared! Fortunately there were no emotional crises but we are waiting for the statement of explanation from Blackbaud - hopefully with an apology - so we can explain to parents how the confidentiality of those records was breached so badly. It was a major FERPA violation for those schools and some people are ticked.

David Gillespie · February 2024

@Brian Hoyt There was a follow-up this evening from Blackbaud to affected schools. In part they wrote that “This issue only affected customers who set their privacy settings to allow all faculty for all school levels to view data in the Official Notes field.” So if you didn't have that, you should have been all clear.

They also sent a Word doc supposedly listing the comments viewed and by whom, but it cannot be trusted. Our file contained a single comment viewed by one student, but I personally observed several other students showing me the problem by bringing up another student's comment (and then quickly closing it). If you received this notice you may need to follow up with customer support to get an accurate accounting if you want that information.

Barbara V Glass · February 2024

@David Gillespie
David,

Where are the settings for this?

David Gillespie · February 2024

@Barbara Glass you edit each comment type and scroll down to the bottom you'll see the groups that can view it. There's an additional checkbox to limit to the students school level. We didn't have that turned on for a couple of our comment types.

Brian Hoyt · February 2024

@David Gillespie
Thanks for the details. We don't use the All Teachers setting on any of our official notes so that seems like it excluded us from the issue. This is the kind of security / privacy oops that really shouldn't happen.

David Gillespie · February 2024

Final follow-up from me! Our report was limited because I changed the access rights to the comments before it was generated. Once the Blackbaud folks knew that, they were able to go back and retrieve all of the comments that students had viewed. So if you see this and your school was affected but the report you received doesn't seem complete, you can follow up with them and they can provide you a report with the new parameters that they're sure is complete.

Annemarie Merow · February 2024

@Brian Hoyt

If you haven't had an opportunity, please consider voting for these three ideas that could help during similar situations.

Develop the ability for platform managers to immediately disable accounts for a specific role

https://blackbaudk12.ideas.aha.io/ideas/K12CO-I-3754

Although we immediately disabled the Official Notes feature yesterday, it didn’t take effect on many students until they logged off (some multiple times). Those who didn’t log off were able to surf through private information for an extended period until we blocked Blackbaud at our firewall.

Contact schools Immediately/directly when an active broken feature comprises data security

https://blackbaudk12.ideas.aha.io/ideas/K12CO-I-3756

The only way many schools learned of the Official Notes permissions issue on 2/13/23 was from a BB listserve and then a long wait for BB support. Schools should be alerted immediately when they need to adjust settings to protect school data due to a broken feature.

Create a useful K-12 status page with a list of currently broken features

https://blackbaudk12.ideas.aha.io/ideas/K12CO-I-3755

Schools need a way to quickly identify known issues (broken features from weekly updates) without waiting an hour on the phone for support just to tell us that BB agrees there is a problem that has been sent to development. A simple page with known problems would save us all a great deal of time and frustration.

Official Notes bug made all notes visible to all users?

Comments

Categories