On January 11, DataBreaches noted a concerning blob exposure discovered by Jerome Fowler and first reported by vpnMentor. As WIRED’s Matt Burgess reported:
Last month, security researcher Jeremiah Fowler discovered 800 gigabytes of files and logs linked to school software provider Raptor Technologies. The firm provides software that allows schools to track student attendance, monitor visitors, and manage emergency situations. Raptor says its software is used by more than 5,300 US school districts and 60,000 schools around the world.
But as DataBreaches noted, there was even more to this concerning leak than had been known by Fowler, vpnMentor, or WIRED. DataBreaches had been contacting Raptor Technologies weeks before Fowler reached out to them about their leak after another researcher had alerted DataBreaches to it in early November. But Raptor Technologies never acknowledged the multiple attempts at responsible disclosure in early December, never secured their blob at the time, and then issued a factually inaccurate statement to WIRED about their investigation that claimed, “There is no indication at this time that any such data was accessed by third parties beyond the cybersecurity researcher and Raptor Technologies personnel,” he says, adding there is no reason to believe there has been any misuse of the information.”
But data had been accessed by others.
DataBreaches’ initial reporting on the problems with Raptor’s incident response and disclosure was first reported on January 11 as an update to the post about the WIRED story. Since then, DataBreaches has been following up. As DataBreaches noted last night on Infosec.Exchange:
I have already been starting to follow -up:
(1) Fowler’s notification to Raptor was weeks after I sent RAPTOR multiple notifications that they had not responded to appropriately. And I verified: Fowler was notifying them about the same blob I had been notifying them about. So we know that blob was first exposed no later than November 3 when a researcher notified me about it. Did Raptor tell school districts when the blob was first unsecured?
(2) I have sent an inquiry to Raptor asking why they claim only Fowler and their staff had accessed files, as the first (November) researcher had accessed files in November and I had accessed them in December to verify and to check to see if Raptor locked it down after I notified them. I have now asked Raptor if they really have access logs.
Amazingly, I have gotten no response so far. Again.
(3) I also reached out to Ann Arbor Public Schools to ask what they did in response to the security alert I sent them on December 3 that they never responded to…. and to ask if Raptor told Angell Elementary that there was a file with every student’s picture and information — including parental phone numbers and emergency phone numbers that was leaking and downloaded.
So far, I haven’t heard back from AAPS or Angell Elementary School either.
Raptor Technologies needs to answer the questions DataBreaches put to them. So does Ann Arbor Public Schools and Angell Elementary School District, for that matter. And school districts using Raptor’s services should attempt to verify Raptor’s claims to them about whether their data was accessed or not.