image

Child Safety Alert! School Safety Software Data Leak Endangers Student Safety

A data leak involving Raptor Technologies, a Texas-based school safety software provider, exposed millions of sensitive records about students, parents, and staff.

The leak, discovered by cybersecurity researcher Jeremiah Fowler, exposed personal information, incident response plans, infrastructure challenges, and documents about at-risk students, raising concerns about student privacy and school safety. The leak exposed around 4,024,001 records, exposing students to numerous security risks.

“I reviewed a limited sample of documents and log records that contained what appeared to be sensitive information related to students, teachers, parents, and school safety plans or procedures,” said Fowler.

I immediately sent a responsible disclosure notice and received confirmation that indeed the data belonged to Raptor Technologies,” Fowler wrote in the blog post published by VPNMentor on January 11th, 2024.

Part of the exposed records were school incident response plans, classroom layouts, infrastructure challenges, background check system details, and at-risk student documents, including their “personal and medical conditions, any mental health or legal problems they might be having, and the threats they pose to the school.”

In addition, it contained court-ordered protection orders, divorce decrees, and monthly drills. It also included scanned PDF files and images of legal documents. In summary, Fawler managed to analyse a treasure trove of records including the following:

  1. Testing documents: 1,326 files
  2. Testing logs: 332,409 / 23 GB
  3. Staging documents: 7,900 files
  4. Staging logs: 1,002,394 / 25 GB
  5. Production documents: 81,511 files
  6. Production logs: 2,598,461 blobs / 779 GB

Raptor Technologies secured the database and restricted public access. The duration of the exposure and potentially malicious access remains unknown, as only an internal forensic audit could identify potential threats.

It is worth noting that Raptor Technologies provides a visitor management system for schools to track and screen visitors, volunteers, and contractors, ensuring they are not on sex offender registries or watchlists. The software is used by over 60,000 schools worldwide, including 5,300 U.S. districts. The exposure could potentially impact nearly 40% of American schools.

The unprotected database exposed sensitive data such as school maps, camera locations, security vulnerabilities, meeting points, and emergency response plans. These could have real-world consequences if accessed by cybercriminals. Court records contained restraining orders, criminal offences, divorce agreements, and personal information, increasing the risk of identity theft or financial crimes. 

Moreover, health records revealed student health forms, compromising privacy and confidentiality. Incident reports and safety drill summary reports contained students’ names and detailed at-risk behaviour, which can threaten their well-being later in life. School maps identified classroom locations, room numbers, evacuation routes, and camera locations, posing additional privacy risks.

Fowler recommends proactive cybersecurity measures for schools and data management companies, including restricting access, conducting regular assessments, and encrypting sensitive information.