On Sunday, March 21, 2021 at 11:47am Pacific time, we were made aware that some third-party tracking code commonly used on web pages was operating on post-login pages on our site.
What happened?
We use Google Tag Manager to help deploy key third-party code in a streamlined fashion. The Google Tag Manager implementation includes a Facebook trigger. On March 8, 2021 at 8:39pm Pacific time, a new Facebook campaign was created that started firing a Facebook advertising pixel, intended to only run on marketing web pages. However, it was inadvertently configured to run on signed-in pages.
What actions have we taken?
We promptly investigated the matter and, once we were able to identify, verify, and replicate the issue, we removed the offending code from the signed-in pages on March 21, 2021 at 11:19pm Pacific time.
We take the privacy of our customers’ data and personal information very seriously and have made completing the root cause analysis a top priority. Our Engineering, Security, and Compliance/Privacy teams—as well as other staff—are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again. We will update this post as we have more information to share.
How One College System Graduated From Tape to Multi-cloud Solutions