DataBreaches cannot read “Lower Merion School District” without recalling the “Webcamgate” scandal of 2010, when the district was discovered monitoring students remotely in their bedrooms on district-issued MacBooks. At the time, they initially denied any misuse of remote access that was part of a security feature.
Now the district is back in local news in Pennsylvania. CBS Philadelphia reports:
The Lower Merion School District blamed a computer glitch after some confidential material was shared online. The district said it posted the information on a password-protected section of the website called BoardDocs. But people were still able to access the private documents. BoardDocs couldn’t say which documents were accessible, how long they were available or who may have seen them.
In other coverage, the district has reportedly removed all confidential docs from BoardDocs as a result of the incident.
But how was this a “computer glitch?” Is the district allegling that BoardDocs has or had a vulnerability? Or was this human error on the district’s part somehow?
DataBreaches emailed BoardDocs to ask about the alleged “computer glitch.” No reply was immediately provided, but DataBreaches will update this post when a reply is received.
Update 1: A fuller explanation of the breach involving BoardDocs was reported by The Philadelphia Inquirer. Some details from that reporting:
- The school district first learned of the breach on April 10, when it was contacted by a litigant in a legal proceeding unrelated to the breach.
- The leaked documents included attorney-client privileged legal memos that discuss ongoing litigation, confidential employee information and issues involving students who are identified by their initials.
- It remains unclear exactly how many internal Lower Merion documents were publicly accessible and for how long. The Inquirer obtained and reviewed a sample of confidential records from 2017 to 2024. Nor is it known whether the apparent bug could have impacted other school districts that use BoardDocs.
DataBreaches understands that Diligent, the company responsible for BoardDocs, has sent out letters to affected clients. DataBreaches sent a second request to BoardDocs.