A K-12 school safety and student well-being solutions provider that runs a tip-reporting platform has reportedly been hit by a major cyberattack. The breach may have exposed the personal information of students attending more than 30,000 schools in the United States.
A hacker claimed to have accessed systems operated by Navigate360, specifically its tip line P3 Global Intel, according to Reuters. Early reports suggest the hacker’s claims are legitimate, although EdWeek could not independently verify them.
But data security experts say schools shouldn’t wait for confirmation of the hack to take action.
The full extent of the breach—and how many schools, students and staff—may have been affected is unclear. Navigate360 said in a statement that it’s still attempting to find out whether its systems have been compromised.
“We are currently working to determine whether we have experienced an incident involving our computer network and, if so, the extensiveness of the incident and the information involved,” said JP Guilbault, the CEO of Navigate360, in a statement.
“We have not confirmed that any sensitive information has been accessed or misused,” Guilbault added. The company said it has hired an independent third party to investigate the incident.
However, Doug Levin, a school cybersecurity expert and the national director of the K12 Security Information Exchange, said there seems to be enough information “to suggest it’s potentially legitimate and we should be taking it seriously.”
There haven’t been reports of ransom related to the leaked documents, so this seems like “classic hacktivism,” carried out by people who expose activities because they don’t agree with what a government or organization is doing, Levin said.
In this case, he said, the fact that the hacker approached the media and shared the data with a nonprofit whistleblower website line up with how hacktivists usually work.
While the full extent of the breach is uncertain, experts say data collected through confidential tip platforms—typically meant to give schools and law enforcement advance intel to prevent crime and promote school security—are highly sensitive and compromising that data could undermine school safety efforts.
One of the main ways that school administrators learn about students who are planning to harm themselves or others is through their peers reaching out to school staff in person or anonymously, said Kenneth Trump, a school security expert and president of National School Safety and Security Services.
“School administrators work so hard to create that trust to get kids to come forward, and kids are not going to trust anonymous reporting if the system is actually not anonymous,” he said.
Reuters reports that the hacker, using the name Internet Yiff Machine, said in a statement that they hacked and shared the data to expose that the confidential tips people submit through Navigate360’s P3 Global Intel platform are neither secure nor anonymous.
Reuters cited the website Straight Arrow News, founded by American businessman Joe Ricketts, as the first to report the breach. Data from the breach has reportedly also been shared with the transparency website, Distributed Denial of Secrets.
Schools aren’t the only organizations that use the P3 tip app—law enforcement, crime stoppers programs, and federal agencies do as well, according to the company’s website.
Data collected through anonymous tip lines is highly sensitive
The kind of data collected through anonymous tips is highly sensitive and if exposed could harm both the reporters and the subjects of the tips, said David Riedman, the founder of the K-12 School Shooting Database and a professor of security and risk management at Idaho State University.
“This is an app that is sold to identify students who are thinking about self harm, being abused, abusing substances, or making threats of violence,” he said. “That is the most sensitive information possibly available about a child.”
On the flip side, anybody who made what they thought was an anonymous report could be targeted if that information became public, Riedman added.
“You’re potentially making yourself a target of violence, you’re also making yourself a target of subsequent liability, because there have been multiple lawsuits by the families of students who have been caught up in the threat assessment process,” he said.
Both Riedman and Trump say it’s crucial that schools do their due diligence and ensure student data privacy and security is paramount when selecting a vendor and hammering out a contract.
Levin recommends that school districts suspend the use of the platform while the investigation is ongoing and reach out to Navigate360 to demand updates on the incident and whether information about their school community was compromised.
Navigate360 sells a variety of services to K-12 schools, from a character education curriculum to visitor management systems. According to its website, 30,000 schools use its P3 Global Intel confidential tip app.
Incident comes in the wake of other companies that work with schools getting hacked
A data breach would add Navigate360 to the list of K-12 ed-tech companies whose vulnerabilities have put at risk the sensitive information that districts store about students. Most recently, a cyberattack on PowerSchool exposed the personal information of millions of students, parents, and staff and has led to dozens of lawsuits against the ed-tech company.
In 2023, another school safety software company, Raptor Technologies, was subject to a data leak that exposed millions of school records, including evacuation plans, lockdown procedures, and information on students who had been flagged as posing a threat on campus.
A security researcher discovered the files in unsecured databases and reported the leaked files to Raptor Technologies, and the company quickly made the files inaccessible, WIRED magazine reported.
School districts are a top target for hackers and are uniquely vulnerable to cyberattacks. Districts access thousands of ed-tech tools in a school year and rely on their vendors to store and manage a lot of sensitive information.
