School security company Raptor Technologies left roughly 4 million records — including sensitive school safety data and personal information of students, parents and staff — exposed for an unknown period of time. The files were stored in a database without any password protection, according to Jeremiah Fowler, a cybersecurity researcher who reported the findings in a post for cybersecurity review provider vpnMentor.
Raptor provides a wide range of school safety software services — including visitor, volunteer and emergency management systems — to over 5,300 school districts, according to its website.
Documents the company left exposed detailed school incident response plans with layouts of schools or classrooms that included information on infrastructure issues like security gaps and malfunctioning cameras. Also included were data outlining monthly drills and detailed incidents of safety protocol violations.
Some documents included names and details from background checks, Fowler reported. The data leak also contained sensitive information on at-risk students, including their personal and medical conditions and any potential threats they posed to the school.
Once Fowler informed Raptor of the data breach, he said the company quickly secured the database, and the public could no longer access the sensitive information the next day. “It is unknown how long the database was exposed or if anyone else may have accessed the database, as only an internal forensic audit could identify potentially malicious access,” Fowler wrote in his vpnMentor post.
The major data leak — unrelated to a cyberattack — comes as safety is top-of-mind for many school communities. The number of school shooting incidents in 2023 reached a record high of 346. And just four days into 2024, a shooting at Perry High School in Iowa killed a 6th grade student and the school’s principal. Six others were also injured during the shooting.
Data breaches involving sensitive school data, like a district’s security information and incident response plans, can leave schools even more vulnerable. Such documents are typically exposed through cyberattacks and can include building maps, evacuation plans, security camera layouts, network architecture and more.
To navigate and potentially protect schools from this kind of data leak, school safety and K-12 cybersecurity experts have advised that districts store their safety plans on a separate, more secure server. It’s also important to periodically revisit safety plans, especially if that information is exposed. As more schools rely on ed tech for a variety of services, data privacy experts suggest schools take inventory of ed tech already in use, and that district technology leaders skeptically read a company’s terms of use before signing a contract.
