More than four million sensitive school records with information pertaining to students, parents, teachers and shooting emergency plans were leaked online.
A cybersecurity researcher discovered the breached documents belonged to Raptor Technologies, a Texas-based school security company, which is used by more than 5,300 US school districts and 60,000 schools worldwide.
School districts across the country were affected by the leak including Chicago, Illinois, Forth Worth, Texas, and schools in mid-Missouri.
About 75 percent of the documents showed school safety plans and procedures which included school maps and response plans that could give dangerous actors critical information about the school’s layout.
Raptor Technologies experienced a data breach of more than four million documents
Jeremiah Fowler noticed exposed documents included school safety measures like lockdown
Leaked documents included health and court records including information showing divorced parents
The documents also included health records containing names, addresses, and insurance details as well as court records listing the details of abuse or criminal sexual offenses and social security numbers.
Raptor claims its mission is to ‘protect every child, every school, every day,’ but when it came down to it, the company inadvertently gave cybercriminals an open door policy by not putting security measures in place.
Jeremiah Fowler, an ethical cybersecurity researcher, uncovered the leaked records, and said he immediately notified vpnMentor – a cybersecurity organization – about the data breach.
Raptor took steps to secure its database and restricted access the following day.
It’s still unknown if Raptor’s actions were too little too late or how long the cybercriminal had access to the information.
Fowler said the extent of the breach remains a mystery but it is unlikely that someone actively exploited the documents.
‘I imply no wrongdoing or neglect by Raptor Technologies. I also do not imply that there are any threats or risks to the schools, students, or staff,’ Fowler said.
However, he noted that it’s important to ‘raise awareness about potential vulnerabilities for the benefit of better data protection goal measures and security practices.’
Documents also included what to do in case of a school shooter emergency that could be dangerous in the wrong hands
Raptor said it provides tracking technology claims its technology ‘enables schools to screen visitors, track volunteers, report on drills, respond to emergencies, and reunite families.’
Fowler also uncovered a more than 25-page ’emergency response plan’ for a single school, which showed preparations for fire drills, severe storms, shelter in place and lockdowns, Wired reports.
The document also included more than 20 scenarios, such as bomb threats, hostage situations and shooters in the school.
A map highlighted the layout of the school and location for where children of different ages should meet in the event of an emergency.
Fowler also found a document from one school titled ‘active shooter/lockdown drill,’ which is an 11 point checklist for teachers to review how a school performs during such practices.
Raptor Technologies Chief Marketing Officer David Rogers told TechRadar Pro: ‘We care deeply about the safety and wellbeing of children and all those community members our customers serve, which is exactly why we took prompt action when made aware by a cybersecurity researcher of an issue involving certain cloud-hosted data repositories.’
The company claimed all data repositories were secured and it has notified all customers who were potentially affected by the breach.
Rogers added: ‘Importantly, we have no evidence that there has been any misuse of the information stored in these data repositories. We are committed to safeguarding our customers’ information and their trust in line with our mission to protect every child, every school, every day.’
Along with emergency plans, the leaked data included information about specific students and their behavior in class.
Wired reported about one document that highlighted a child’s name and threats they had made to teachers and other students.
Another read: ‘[Student name] is aggressive, kicking, scratching, and fights while transitioning from the bus each morning,’ one file says of a student. It adds that the student ‘locked himself in principal’s office and grabbed a pair of scissors.’
The leak also exposed students’ medical records, including names of doctors and illnesses.
Yet Raptor’s protection extended only so far as to upload thousands of documents without any security measures in place, even as there is an ongoing epidemic of violence in schools, including school shootings.
‘Given the numerous risks for educational institutions, it is crucial for schools to prioritize the security of potentially sensitive records related to emergency protocols, drills, or sensitive maps,’ Fowler said.
He advised schools and companies who take charge of school data to take proactive measures that restrict records by encrypting sensitive information and conducting regular security assessments.
‘In Raptor’s case, it’s a wake-up call. Hopefully, this data doesn’t fall into the wrong hands,’ Fowler told CBS News.
‘I haven’t seen a range or span of documents like that, I don’t think, ever,’ he added.
Dailymail.com has reached out to Raptor Technologies and Fowler for comment.
