School security software provider Raptor Technologies faced a major data breach, exposing approximately 4 million records, including sensitive school safety information and personal details of students, parents, and staff. The breach was discovered by cybersecurity researcher Jeremiah Fowler, who found that the files were stored in a database without any password protection.
Raptor Technologies, serving over 5,300 school districts with various safety software services, including visitor, volunteer, and emergency management systems, left non-password protected documents accessible to the public. The exposed records contained information on school incident response plans, layouts of schools or classrooms, infrastructure issues, and monthly drills. Some documents also included names and details from background checks.
The data leak included sensitive information about at-risk students, encompassing personal and medical conditions along with potential threats they might pose to the school. Jeremiah Fowler reported the findings in a post for cybersecurity review provider vpnMentor.
Upon being notified of the breach, Raptor Technologies swiftly secured the database, preventing further public access to the sensitive information. However, the duration of the exposure remains unknown, and the possibility of malicious access can only be identified through an internal forensic audit.
This incident, unrelated to a cyberattack, raises concerns amid heightened safety awareness in school communities. With an increasing number of school shooting incidents, the exposure of sensitive school data poses additional vulnerabilities. Such breaches can reveal critical information like building maps, evacuation plans, security camera layouts, and network architecture.
Experts in school safety and K-12 cybersecurity recommend storing safety plans on secure servers separate from other data. Regular review and updates of safety plans are crucial, especially when exposed. As schools increasingly rely on educational technology, it’s advised to take inventory of the technologies in use and carefully scrutinize terms of use agreements before entering contracts with tech companies to ensure data privacy.