Cybersecurity researcher Jeremiah Fowler uncovered a significant data breach involving a non-password protected database belonging to Raptor Technologies, a Texas-based school security company. The exposed database contained approximately 4 million records, comprising sensitive information about school safety, students, parents, and staff. Among the exposed documents were school incident response plans, layouts of schools or classrooms, background check system details, information on at-risk students, court-ordered protection orders, and records of safety protocol incidents. Fowler responsibly reported the breach to Raptor Technologies, prompting the company to secure the exposed database and restrict public access.
The non-password protected database, totaling 4,024,001 records, was stored in three separate cloud storage buckets. Raptor Technologies, known for providing school safety software and services, took immediate action upon receiving the responsible disclosure notice. The exposed information included monthly drills, incidents or non-compliance with safety protocols, and details about infrastructure challenges in schools. Although the duration of the exposure remains unknown, Raptor Technologies secured the database promptly after being notified, preventing potential malicious access. Fowler, in accordance with ethical security research practices, disclosed the information responsibly and ensured no sensitive details beyond the necessary scope were revealed.
The exposed records, categorized into production, staging, and testing documents, revealed internal information across the three environments. The incident highlights the potential impact on American schools, with Raptor Technologies serving more than 60,000 schools worldwide, including over 5,300 U.S. districts. The breach could potentially affect nearly 40% of American schools, based on the estimated number of school districts in the U.S. in 2023. Raptor Technologies offers various solutions, including a visitor management system and emergency management tools, contributing to its widespread use in the education sector. The exposure underscores the critical need for robust cybersecurity measures to protect sensitive information in educational institutions.
