Privacy & Security

A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know

By Arianna Prothero — January 24, 2024 5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
  • Save to favorites
  • Print

More than 4 million school records held by school safety software company Raptor Technologies were left inadvertently exposed online. The cybersecurity leak—which the company says is now patched—included thousands of documents detailing emergency plans at U.S. schools, including lockdown procedures.

The data leak is the latest in a series of high-profile cybersecurity incidents with K-12 vendors from the past few years, including a 2022 cyberattack on Illuminate Education, and a 2018 data breach of Pearson Education.

But incidents like this raise the question: what can districts do when a vendor they trust to hold sensitive data fails to safeguard that information? It’s not a question reserved just for the districts affected by the Raptor Technologies data security leak, said Doug Levin, the director of K12 Security Information Exchange, which tracks cybersecurity problems in schools.

“In general, security experts would encourage school systems to outsource these services to technology companies that may be more expert at protecting IT systems than school districts, because it is their full-time job and may have more expertise,” he said. “However, it does mean that if they happen to be compromised, the scope of those incidents can be orders of magnitude larger.”

In a statement to Education Week, Raptor Technologies Chief Marketing Officer David Rogers said the company is taking extra precautions in addressing the leak. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused,” he said.

While there’s only so much schools can do to protect data that has been shared with vendors, say experts, there are steps schools should take to do their due diligence and be savvy customers.

Students’ medical records, school safety evacuation plans, names of students who might pose threats were compromised

In December, a security researcher working for a company called vpnMentor reported the data leak to Raptor Technologies, which is used by more than 5,300 U.S. school districts, according to the company’s website. That represents more than a third of all school districts in the country. Earlier this month, the security incident was reported by technology magazine WIRED, which found a host of sensitive information was left exposed, including:

  • Evacuation plans with maps showing escape routes and meeting places;
  • Information on students who had been flagged as posing a threat on campus;
  • Court documents outlining family abuse and restraining orders;
  • Medical records, including students’ health conditions;
  • The names and ID numbers of staff, parents, guardians, and students;
  • And, in some cases, details such as whether a door was locked or a security camera was broken.

“The sensitivity of these data are definitely a concern,” said Levin. “This is not a case where simply offering free credit monitoring is necessarily the right remedy, even though that is the standard for companies that experience an incident.”

Raptor Technologies provides a suite of software services to school districts, including products that screen and track school visitors, monitor student attendance, and conduct behavioral threat and suicide risk assessments.

The District of Columbia Public Schools was among the districts affected—although only to a relatively small degree, the district said in a notice to families. The district had only recently started using Raptor Technologies’ visitor management software in some of its schools, so student names and ID numbers were temporarily accessible. The district has suspended the use of the software.

“Our investigation into the nature of the issue remains ongoing,” Rogers said in the statement from Raptor Technologies. “However, at this time, Raptor is supporting its customers, if needed, in reviewing the contents of the data and ensuring that any individuals whose personal information could have been affected are appropriately notified.”

Raptor Technologies also emphasized in its statement that its security protocols are “rigorously tested” by third-party reviewers.

What schools can—and can’t—do to protect themselves

It’s a dilemma for schools. On the one hand, schools need these vendors. Having the infrastructure and expertise to collect, manage, and protect student data is becoming increasingly out of reach for districts as both technology and cybercriminals become more sophisticated.

On the other hand, once that data leaves a school system’s orbit, there’s little it can do to safeguard it.

Where districts have the most power to protect school data is before they sign on the dotted line of a contract, said Amy McLaughlin, the cybersecurity initiative project director for the Consortium for School Networking, a professional association for K-12 education technology leaders. Districts should carefully read vendor contracts and conduct a risk assessment of the vendor, she said. CoSN offers a free K-12 vendor risk assessment tool.

It’s also important to have realistic expectations.

“You’re not going to have a risk-free environment,” McLaughlin said. “Just because somebody has had a security incident doesn’t mean that you shouldn’t use them. You want to know how they responded to it.”

A best practice is for a vendor to quickly acknowledge that it has identified a problem, said McLaughlin, and disclose how long it took them to lock down the system. Vendors should also commit to continuing to monitor the problem and detail what they learned from the incident and what additional steps they have put in place to ensure it doesn’t happen again.

Levin further emphasizes that efforts to improve cybersecurity in K-12 education should focus on the vendors as much as the school districts they contract with. Too often, he said, the focus has been on districts when there’s a limited amount they can do.

“What do we need to do around procurement so we can better assess an IT vendor’s security claims?” he said. “If we’re introducing risks by using these products, what is the good housekeeping seal that districts can look to, to know that vendors are taking this seriously?”

There is the Student Data Privacy Pledge that vendors can sign, but it is a voluntary commitment, not a binding one.

Regulators are also key. Several federal agencies have been focusing more on the cybersecurity practices of online companies, including those that serve K-12 education, said Levin.

“Data and information about school systems is only as secure as the weakest link,” he said.

A version of this article appeared in the February 07, 2024 edition of Education Week as A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know

Events

Jobs Virtual Career Fair for Teachers and K-12 Staff
Find teaching jobs and other jobs in K-12 education at the EdWeek Top School Jobs virtual career fair.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of Education Week's editorial staff.
Sponsor
Reading & Literacy Webinar
Science of Reading: Emphasis on Language Comprehension
Dive into language comprehension through a breakdown of the Science of Reading with an interactive demonstration.
Content provided by Be GLAD
English-Language Learners Webinar English Learners and the Science of Reading: What Works in the Classroom
ELs & emergent bilinguals deserve the best reading instruction! The Reading League & NCEL join forces on best practices. Learn more in our webinar with both organizations.

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide — elementary, middle, high school and more.
View Jobs
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
View Jobs
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
View Jobs
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.
View Jobs

Read Next

Privacy & Security As Cyberattacks Mount, Lawmakers Double Their Efforts to Protect Schools
But the legislative push is not matched by funds to build better cyber defenses.
2 min read
Conceptual illustration of computer with a pixelated lock on screen.
Nanzeeba Ibnat/iStock/Getty Images Plus
Privacy & Security 3 Superintendents Share Cybersecurity Best Practices
Cyberattacks cause major disruptions to learning, but school districts are still struggling to put in place effective protections.
3 min read
Image of a red glowing caution sign over a dark field of data.
Getty
Privacy & Security Saturn Is a New App for High Schoolers. Here’s Why It Has Educators Concerned
Saturn is billed as a time-management app, but experts see potential privacy concerns in allowing it broad access to students' schedules.
6 min read
Image of a clock, calendar, and a pencil.
Tatomm/iStock/Getty
Privacy & Security Q&A AI Is Making Data Literacy a 'Survival Skill' That Schools Must Teach, Experts Argue
A new survey found that more than two-thirds of U.S. adults don't understand how their data is being used.
4 min read
Illustration of individual carrying binary data on his back to put back into the organized background of 1s and 0s.
iStock/Getty Images Plus