澳门跑狗论坛

Privacy & Security

A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know

By Arianna Prothero 鈥 January 24, 2024 5 min read
Concept image of security breach, system hacked alert with red broken padlock icon showing vulnerable access.
  • Save to favorites
  • Print
Email Copy URL

More than 4 million . The cybersecurity leak鈥攚hich the company says is now patched鈥攊ncluded thousands of documents detailing emergency plans at U.S. schools, including lockdown procedures.

The data leak is the latest in a series of high-profile cybersecurity incidents with K-12 vendors from the past few years, including a 2022 cyberattack on Illuminate Education, and a .

But incidents like this raise the question: what can districts do when a vendor they trust to hold sensitive data fails to safeguard that information? It鈥檚 not a question reserved just for the districts affected by the Raptor Technologies data security leak, said Doug Levin, the director of K12 Security Information Exchange, which tracks cybersecurity problems in schools.

鈥淚n general, security experts would encourage school systems to outsource these services to technology companies that may be more expert at protecting IT systems than school districts, because it is their full-time job and may have more expertise,鈥 he said. 鈥淗owever, it does mean that if they happen to be compromised, the scope of those incidents can be orders of magnitude larger.鈥

In a statement to 澳门跑狗论坛, Raptor Technologies Chief Marketing Officer David Rogers said the company is taking extra precautions in addressing the leak. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused,鈥 he said.

While there鈥檚 only so much schools can do to protect data that has been shared with vendors, say experts, there are steps schools should take to do their due diligence and be savvy customers.

Students鈥 medical records, school safety evacuation plans, names of students who might pose threats were compromised

In December, a security researcher working for a company called vpnMentor reported the data leak to Raptor Technologies, which is used by more than 5,300 U.S. school districts, according to the company鈥檚 website. That represents more than a third of all school districts in the country. Earlier this month, the security incident was , which found a host of sensitive information was left exposed, including:

  • Evacuation plans with maps showing escape routes and meeting places;
  • Information on students who had been flagged as posing a threat on campus;
  • Court documents outlining family abuse and restraining orders;
  • Medical records, including students鈥 health conditions;
  • The names and ID numbers of staff, parents, guardians, and students;
  • And, in some cases, details such as whether a door was locked or a security camera was broken.

鈥淭he sensitivity of these data are definitely a concern,鈥 said Levin. 鈥淭his is not a case where simply offering free credit monitoring is necessarily the right remedy, even though that is the standard for companies that experience an incident.鈥

Raptor Technologies provides a suite of software services to school districts, including products that screen and track school visitors, monitor student attendance, and conduct behavioral threat and suicide risk assessments.

The District of Columbia Public Schools was among the districts affected鈥攁lthough only to a relatively small degree, the district said in a notice to families. The district had only recently started using Raptor Technologies鈥 visitor management software in some of its schools, so student names and ID numbers were temporarily accessible. The district has suspended the use of the software.

鈥淥ur investigation into the nature of the issue remains ongoing,鈥 Rogers said in the statement from Raptor Technologies. 鈥淗owever, at this time, Raptor is supporting its customers, if needed, in reviewing the contents of the data and ensuring that any individuals whose personal information could have been affected are appropriately notified.鈥

Raptor Technologies also emphasized in its statement that its security protocols are 鈥渞igorously tested鈥 by third-party reviewers.

What schools can鈥攁nd can鈥檛鈥攄o to protect themselves

It鈥檚 a dilemma for schools. On the one hand, schools need these vendors. Having the infrastructure and expertise to collect, manage, and protect student data is becoming increasingly out of reach for districts as both technology and cybercriminals become more sophisticated.

On the other hand, once that data leaves a school system鈥檚 orbit, there鈥檚 little it can do to safeguard it.

Where districts have the most power to protect school data is before they sign on the dotted line of a contract, said Amy McLaughlin, the cybersecurity initiative project director for the Consortium for School Networking, a professional association for K-12 education technology leaders. Districts should carefully read vendor contracts and conduct a risk assessment of the vendor, she said. CoSN offers a .

It鈥檚 also important to have realistic expectations.

鈥淵ou鈥檙e not going to have a risk-free environment,鈥 McLaughlin said. 鈥淛ust because somebody has had a security incident doesn鈥檛 mean that you shouldn鈥檛 use them. You want to know how they responded to it.鈥

A best practice is for a vendor to quickly acknowledge that it has identified a problem, said McLaughlin, and disclose how long it took them to lock down the system. Vendors should also commit to continuing to monitor the problem and detail what they learned from the incident and what additional steps they have put in place to ensure it doesn鈥檛 happen again.

Levin further emphasizes that efforts to improve cybersecurity in K-12 education should focus on the vendors as much as the school districts they contract with. Too often, he said, the focus has been on districts when there鈥檚 a limited amount they can do.

鈥淲hat do we need to do around procurement so we can better assess an IT vendor鈥檚 security claims?鈥 he said. 鈥淚f we鈥檙e introducing risks by using these products, what is the good housekeeping seal that districts can look to, to know that vendors are taking this seriously?鈥

There is the that vendors can sign, but it is a voluntary commitment, not a binding one.

Regulators are also key. Several federal agencies have been focusing more on the cybersecurity practices of online companies, including those that serve K-12 education, said Levin.

鈥淒ata and information about school systems is only as secure as the weakest link,鈥 he said.

A version of this article appeared in the February 07, 2024 edition of 澳门跑狗论坛 as A Massive Data Leak Exposed School Lockdown Plans. What Districts Need to Know

Events

Artificial Intelligence K-12 Essentials Forum Big AI Questions for Schools. How They Should Respond鈥
Join this free virtual event to unpack some of the big questions around the use of AI in K-12 education.
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of 澳门跑狗论坛's editorial staff.
Sponsor
School & District Management Webinar
Harnessing AI to Address Chronic Absenteeism in Schools
Learn how AI can help your district improve student attendance and boost academic outcomes.
Content provided by 
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of 澳门跑狗论坛's editorial staff.
Sponsor
Science Webinar
Spark Minds, Reignite Students & Teachers: STEM鈥檚 Role in Supporting Presence and Engagement
Is your district struggling with chronic absenteeism? Discover how STEM can reignite students' and teachers' passion for learning.
Content provided by 

EdWeek Top School Jobs

Teacher Jobs
Search over ten thousand teaching jobs nationwide 鈥 elementary, middle, high school and more.
Principal Jobs
Find hundreds of jobs for principals, assistant principals, and other school leadership roles.
Administrator Jobs
Over a thousand district-level jobs: superintendents, directors, more.
Support Staff Jobs
Search thousands of jobs, from paraprofessionals to counselors and more.

Read Next

Privacy & Security What Teachers Need to Know About Changes to Instagram Teen Accounts
The adjustments come as Meta faces multiple lawsuits from states and school districts.
4 min read
Close up photo of Black teen looking at Instagram photos on her cellphone.
Anastasia_Prish/Getty
Privacy & Security Download A Tip Sheet to Help Teachers Prevent and Respond to Doxxing
Teachers can be a target for malicious actors. Use this tip sheet to prevent and respond to doxxing.
1 min read
Image of digital safety against doxxing and privacy invasion.
Laura Baker/澳门跑狗论坛 via Canva
This content is provided by our sponsor. It is not written by and does not necessarily reflect the views of 澳门跑狗论坛's editorial staff.
Sponsor
Privacy & Security Quiz
Quiz Yourself: How Much Do You Know About Cybersecurity For Schools And Districts?
Answer 6 questions about actionable cybersecurity solutions.
Content provided by 
Privacy & Security What Schools Need to Know About These Federal Data-Privacy Bills
Congress is considering at least three data-privacy bills that could have big implications for schools.
5 min read
Photo illustration of a key on a digital background of zeros and ones.
E+