School Management Platform Blue Bear Compromised in 2019 Data Breach, Class Action Claims

New to ClassAction.org? Read our Newswire Disclaimer

Global Payments, Inc. and ACTIVE Network, LLC face a proposed class action that claims the companies’ “careless approach” to data security allowed unauthorized parties to access sensitive customer information stored in ACTIVE’s Blue Bear system in a Fall 2019 data breach.

According to the case, ACTIVE’s Blue Bear software platform and payment card environment, a suite that provides school accounting software, a student management system, and an online school store used by “thousands of schools and districts” nationwide, was compromised in a “massive data breach” between October 1 and November 13, 2019. During this timeframe, customers’ names, payment card information, and Blue Bear account usernames and passwords may have been exposed to unauthorized third parties, the suit alleges.

The lawsuit claims that although thousands of consumers who made purchases through school websites may have had their personal information stolen, neither ACTIVE nor its parent company Global Payments announced the incident to the public until December 30, 2019, nearly three months after the breach began. 

“Apparently, Defendants believed it was in their best interest not to immediately disclose the Data Breach to victims via email or website notices,” the complaint scathes, adding that the delay hindered victims’ ability to protect against identity theft and fraud.

According to the case, even when Global Payments and ACTIVE sent notice of the security incident to state attorneys general and customers who may have been affected, the disclosure contained “very little detail” about the scope of the breach. What the notice did state, the case says, was that ACTIVE, upon discovering the breach, “took steps to enhance its monitoring tools and security controls,” which the case argues “could have and likely should have” been in place before the incident.

The lawsuit contends that the data breach was the “inevitable result” of the defendants’ inadequate data security measures and negligence, stressing that the “well-publicized” and growing threat of security incidents involving payment card data within numerous industries put the defendants on notice of the “very real possibility” that their customers’ data could be compromised. Despite being aware of the risks and injuries caused by data breaches, the companies failed to implement industry-standard security measures, the case alleges.

“Had Defendants maintained the Blue Bear software platform and payment card environment, adequately protected them, and had adequate security safeguards in place, the Data Breach could have been prevented,” the complaint attests.

The case notes that as of the date the lawsuit was filed, the defendants have not provided customers with any post-breach reports or findings that could aid victims in “dealing with the aftermath” of the incident. Moreover, the lawsuit decries the companies’ offer to provide victims with merely one year of free credit monitoring, noting that such is the “bare minimum remedy” and falls well below the solutions frequently made available to victims of data breaches.