DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Raptor Technologies’ unsecured blob exposure was worse than they acknowledged. Here’s what we know — and don’t know — so far.

Posted on January 19, 2024 by Dissent

On January 11, DataBreaches noted a concerning blob exposure discovered by Jerome Fowler and first reported by vpnMentor. As WIRED’s Matt Burgess reported:

Last month, security researcher Jeremiah Fowler discovered 800 gigabytes of files and logs linked to school software provider Raptor Technologies. The firm provides software that allows schools to track student attendance, monitor visitors, and manage emergency situations. Raptor says its software is used by more than 5,300 US school districts and 60,000 schools around the world.

But as DataBreaches noted, there was even more to this concerning leak than had been known by Fowler, vpnMentor, or WIRED.  DataBreaches had been contacting Raptor Technologies weeks before Fowler reached out to them about their leak after another researcher had alerted DataBreaches to it in early November. But Raptor Technologies never acknowledged the multiple attempts at responsible disclosure in early December, never secured their blob at the time, and then issued a factually inaccurate statement to WIRED about their investigation that claimed, “There is no indication at this time that any such data was accessed by third parties beyond the cybersecurity researcher and Raptor Technologies personnel,” he says, adding there is no reason to believe there has been any misuse of the information.”

But data had been accessed by others.

DataBreaches’ initial reporting on the problems with Raptor’s incident response and disclosure was first reported on January 11 as an update to the post about the WIRED story. Since then, DataBreaches has been following up. As DataBreaches noted last night on Infosec.Exchange:

I have already been starting to follow -up:

(1) Fowler’s notification to Raptor was weeks after I sent RAPTOR multiple notifications that they had not responded to appropriately. And I verified: Fowler was notifying them about the same blob I had been notifying them about. So we know that blob was first exposed no later than November 3 when a researcher notified me about it. Did Raptor tell school districts when the blob was first unsecured?

(2) I have sent an inquiry to Raptor asking why they claim only Fowler and their staff had accessed files, as the first (November) researcher had accessed files in November and I had accessed them in December to verify and to check to see if Raptor locked it down after I notified them. I have now asked Raptor if they really have access logs.

Amazingly, I have gotten no response so far. Again.

(3) I also reached out to Ann Arbor Public Schools to ask what they did in response to the security alert I sent them on December 3 that they never responded to…. and to ask if Raptor told Angell Elementary that there was a file with every student’s picture and information — including parental phone numbers and emergency phone numbers that was leaking and downloaded.

So far, I haven’t heard back from AAPS or Angell Elementary School either.

Raptor Technologies needs to answer the questions DataBreaches put to them.  So does Ann Arbor Public Schools and Angell Elementary School District, for that matter.  And school districts using Raptor’s services should attempt to verify Raptor’s claims to them about whether their data was accessed or not.

 

Category: Education SectorExposureSubcontractorU.S.

Post navigation

← German security researchers at risk of prosecution for “hacking” because of a plain text hardcoded password?
Primary Health & Wellness Center, LLC’s public notice of ransomware incident →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers
  • Lyrix Ransomware Targets Windows Users with Advanced Evasion Techniques
  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.