Matt Burgess reports:
Thousands of emergency planning documents from US schools—including their safety procedures for active shooter emergencies—were leaked in a trove of more than 4 million records that were inadvertently made public. Last month, security researcher Jeremiah Fowler discovered 800 gigabytes of files and logs linked to school software provider Raptor Technologies. The firm provides software that allows schools to track student attendance, monitor visitors, and manage emergency situations. Raptor says its software is used by more than 5,300 US school districts and 60,000 schools around the world.
The highly sensitive cache of documents included evacuation plans, with maps showing the routes students should take and where they should gather during emergencies; details of students who pose a threat on campus; medical records; court documents relating to restraining orders and family abuse; and the names and ID numbers of staff, students, and their parents or guardians. “This is the most diverse group of documents I’ve found,” says Fowler, who detailed the findings for security firm vpnMentor.
Read more at WIRED.
Note: Independently and unaware of Fowler’s activities, DataBreaches had also been contacting Raptor Technologies about their leak after another researcher sent DataBreaches a tip on November 3.
Unfortunately, the tip had been sent to a rarely used account, so DataBreaches did not see it until December 3, but then DataBreaches immediately contacted a school district on December 3 through their secure urgent tip line and urged them to contact Raptor to get files locked down. DataBreaches provided the district with a link to an exposed PDF file of more than 100 pages containing personal information and portrait pictures of all their students.
That school district never even replied.
DataBreaches also contacted Raptor Technologies via their site and then an email on December 4. Getting no reply to either, DataBreaches contacted Raptor Technologies again on December 5.
To my astonishment, rather than just forwarding my December 4 email internally, they sent me an email on December 5 asking me to email their security@ email address. Seriously, Raptor Technologies? You don’t know how to escalate a website contact or email and have nothing on your site about contacting you urgently about a data security issue?
DataBreaches dutifully re-sent the message yet again to another email address for Raptor. They never replied.
DataBreaches is glad vpnMentor reported on this leak and remains troubled that neither the school district this site contacted nor Raptor Technologies ever responded appropriately and timely to this site’s efforts to get them to lock down personal and sensitive information.
Update: Note that this statement by Raptor in WIRED’s reporting is also troubling:
David Rogers, chief marketing officer at Raptor Technologies, tells WIRED the company “immediately implemented remediation protocols” to secure the exposed data once it was contacted and started an investigation into the issue. “We have communicated with all Raptor customers,” Rogers says. “There is no indication at this time that any such data was accessed by third parties beyond the cybersecurity researcher and Raptor Technologies personnel,” he says, adding there is no reason to believe there has been any misuse of the information.
Data were accessed by third parties beyond Fowler and Raptor by at least one other researcher and DataBreaches, who attempted to verify the leak. Doesn’t Raptor have access logs or are they just making a factually inaccurate statement?