A security lapse at a leading school safety company that exposed millions of sensitive records online 鈥 including districts鈥 active-shooter response plans, students鈥 medical records and court documents about child abuse 鈥 has revived criticism that an industry student privacy pledge fails to police bad actors.
In response to an inquiry by 成人抖阴, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies鈥 status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor鈥檚 claims that it scrambles its data.
鈥淲e are reviewing the details of Raptor Technologies鈥 leak to determine if the company has violated its Pledge commitments,鈥 David Sallay, the Washington-based group鈥檚 director of youth and education privacy, said in a Jan. 24 statement. 鈥淎 final decision about the company鈥檚 status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.鈥
Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge.
Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors鈥 government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice 鈥渟omething a bit odd about a student鈥檚 behavior鈥 that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear 鈥榰nkempt or hungry,鈥 withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically.
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm鈥檚 way. And as cybersecurity experts express concerns about , they鈥檝e criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards.
Fowler, a cybersecurity researcher at and a self-described 鈥渄ata breach hunter,鈥 has been tracking down online vulnerabilities for a decade. The Raptor leak is 鈥減robably the most diverse set of documents I鈥檝e ever seen in one database,鈥 he said, including information about campus surveillance cameras that didn鈥檛 work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting.
vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn鈥檛 the result of a hack and there鈥檚 no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months.
The situation could have grown far more dire without Fowler鈥檚 audit.
鈥淭he real danger would be having the game plan of what to do when there is a situation,鈥 like an active shooting, Fowler said in an interview with 成人抖阴. 鈥淚t鈥檚 like playing in the Super Bowl and giving the other team all of your playbooks and then you鈥檙e like, 鈥楬ey, how did we lose?鈥欌
David Rogers, Raptor鈥檚 chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure 鈥渢hat any individuals whose personal information could have been affected are appropriately notified.鈥
鈥淥ur security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,鈥 Rogers said in a statement. 鈥淲e take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.鈥
鈥楳aybe this is a pattern鈥
Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children.
Raptor and the other companies have vowed against selling students鈥 personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to 鈥渕aintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity鈥 of student鈥檚 personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be 鈥渁ppropriate to the sensitivity of the information.鈥
Raptor touts its pledge commitment on its website, where it notes the company takes 鈥済reat care and responsibility to both support the effective use of student information and safeguard student privacy and information security.鈥 The company that it ensures 鈥渢he highest levels of security and privacy of customer data,鈥 including encryption 鈥渂oth at rest and in-transit,鈥 meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it鈥檚 being moved between devices or networks.
Sign-up for the School (in)Security newsletter.
Get the most critical news and information about students' rights, safety and well-being delivered straight to your inbox.
Its , however, offers a more proscribed assurance, saying the company takes 鈥渞easonable鈥 measures to protect sensitive data, but that it cannot guarantee that such information 鈥渨ill be protected against unauthorized access, loss, misuse or alterations.鈥
Districts nationwide have spent tens of millions of dollars on Raptor鈥檚 software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors.
Countering Raptor鈥檚 claims that data were encrypted, Fowler told 成人抖阴 the documents he accessed 鈥渨ere just straight-up PDFs, they didn鈥檛 have any password protections on them,鈥 adding that the files could be found by simply entering their URLs into a web browser.
Officials at the Rochester school district didn鈥檛 respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements.
Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit 鈥 鈥渆xcept maybe it wasn鈥檛.鈥
A decade after the privacy pledge was introduced, he said 鈥渋t falls far short of offering the regulatory and legal protections students, families and educators deserve.鈥
鈥淗ow can educators know if a company is taking security seriously?鈥 Levin asked. Raptor 鈥渟aid all of the right things on their website about what they were doing and, yet again, it looks like a company wasn鈥檛 forthright. And so, maybe this is a pattern.鈥
State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating 鈥 and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing.
Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger.
Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by 成人抖阴 uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search.
鈥淚鈥檝e got a 14-year-old daughter and when I鈥檓 seeing these school maps I’m like, 鈥極h my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,鈥 Fowler said of the Raptor breach. 鈥淭hat鈥檚 the part where I was like, 鈥極h my God, this literally is the blueprint for what happens in the event of a shooting.鈥
鈥楽weep it under the rug鈥
The Future of Privacy Forum鈥檚 initial response to the Raptor breach mirrors the nonprofit鈥檚 actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation.
The forum鈥檚 decision to remove Illuminate followed an article in 成人抖阴, where student privacy advocates criticized it for years of failures to enforce its pledge commitments 鈥 and accused it of being a tech company-funded effort to thwart government regulations.
The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students.
Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to 鈥渃onsider further appropriate action.鈥 It鈥檚 unclear if regulators took any actions against Illuminate. The FTC and the California attorney general鈥檚 office didn鈥檛 respond to requests for comment. The New York attorney general鈥檚 office is reviewing the Illuminate breach, a spokesperson said.
鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information鈥 in violation of several Pledge provisions, Forum CEO Jules Polonetsky told 成人抖阴 at the time. Among them is a commitment to 鈥渕aintain a comprehensive security program鈥 that protects students鈥 sensitive information鈥 and to 鈥渃omply with applicable laws,鈥 including New York鈥檚 鈥渆xplicit data encryption requirement.鈥
After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector鈥檚 equivalent of an Oscar.
Raptor isn鈥檛 the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children鈥檚 school buses. A statement the forum provided 成人抖阴 didn鈥檛 mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments.
Despite the forum鈥檚 actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to 鈥渧irtue signaling鈥 that can be quickly brushed aside.
鈥淧ledges are just that, they鈥檙e like, 鈥楬ey, that sounds good, we鈥檒l agree to it until it no longer fits our business model,鈥 he said. 鈥淎 pledge is just like, 鈥渨hoops, our bad,鈥 a little bit of bad press and you just sweep it under the rug and move on.鈥
Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor鈥檚 early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe.
Although he said he has 鈥渁 great deal of admiration鈥 for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.
鈥淪ometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, 鈥楲ook, we are committed to doing better,鈥 when in fact, they鈥檙e using the pledge to avoid being told to do better,鈥 he said. 鈥淭hat鈥檚 what we need, not people saying, 鈥極n scout鈥檚 honor I鈥檒l do X.鈥欌
Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 成人抖阴.
Get stories like these delivered straight to your inbox. Sign up for 成人抖阴 Newsletter