Skip to main content
All playbooks

Playbook

Lunch, payment, and fundraising system compromise

MySchoolBucks, SchoolCashOnline, RevTrak, LINQ Connect — customer-data plus payment-processing implications.

The scenario

Families report unauthorized charges on the cards they have on file in the school lunch portal. The vendor confirms a 'security event'.

First 60 minutes

  1. Pull the vendor's incident disclosure and timeline in writing — date of compromise, scope, data classes.
  2. Disable any pass-through integrations from your SIS to the payment vendor if they share student PII.
  3. Notify families using the dedicated payment-vendor breach template (see parent-communication playbook).
  4. Contact your acquiring bank if the district holds any merchant relationship (some districts do).
  5. Document the vendor's response for the next procurement renewal.

Decisions to make

Data scope

  • Payment-card data only: route to PCI-DSS-aware vendor process.
  • Student PII (name, school, lunch-status) in addition: notify under state student-data law.

Who to call

  • Payment vendor incident response
  • State breach-notification regulator
  • Card-brand fraud monitoring if district-issued cards

FAQ