COLUMBIA − A cybersecurity researcher found a data leak in an app used to protect students and staff in schools across the United States, including Missouri.
“I didn’t target them, I found the database by accident. I looked at a few documents and once I saw that they were sensitive, that’s when I searched Raptor and saw what they do,” researcher Jeremiah Fowler said.
Raptor Technologies, a Texas-based company, uses its software to allow school administration, teachers, and staff to make emergency alerts, among other features. The alert works with 911 to give information like campus maps to first responders.
Fowler said he found everything from emails, medical records of students, and more when looking through the database.
“That was probably one of the most comprehensive and diverse databases I’ve found. With everything from school maps, shooter drills, there were divorce documents, there were protection orders, there were court cases against sexual predators,” he said. “I mean it really was extremely diverse.”
Fowler said he alerted Raptor on Dec. 20.
Mike O'Connell, communications director for the Missouri Department of Public Safety (DPS), said the department was informed of the leak on Thursday.
“Raptor Technologies says some data from some Missouri schools had been vulnerable before being secured," O'Connell said.
O’Connell did not respond to KOMU 8’s request for further information about which school districts were at risk. However, he also stated that the company eased concerns.
“The company says it immediately took action to secure the data and believes no one other than the researcher accessed the data,” O’Connell said.
David Rogers, chief marketing officer at Raptor, sent the following statement to KOMU 8, noting the company has no evidence of any misuse of the data.
"We care deeply about the safety and well-being of children and all those community members our customers serve, which is exactly why we took prompt action when made aware by a cybersecurity researcher of an issue involving certain cloud-hosted data repositories. We secured the data repositories in question and communicated with our customers.
"Importantly, we have no evidence that there has been any misuse of the information stored in these data repositories. We are committed to safeguarding our customers’ information and their trust in line with our mission to protect every child, every school, every day."
Daily HeadlinesHave the latest local news delivered every morning to start your day informed.
On May 10, Gov. Mike Parson announced the state was providing funding to make the mobile emergency alert app available to all public school districts and charter schools in the state.
In an Aug. 18 press release, the DPS said 143 Missouri school districts and charter schools, representing 830 school buildings, had signed up for the program.
On Aug. 30, the following districts in mid-Missouri told KOMU 8 they expected to have their staff trained and the app properly installed in the fall: New Franklin, Bunceton, Eldon, Cole County, and Columbia Public Schools.
On Thursday, CPS told KOMU 8 that the district had not started using Raptor but is working on mid-year implementation.
Fowler said this data getting into the wrong hands could have resulted in domestic terrorism or identity theft.
“That would be the equivalent of two football teams playing in the Super Bowl and one team has all the playbook of the other team,” he said.
One CPS parent, Rigel Oliveri, likes the idea of the app.
“I think every parent in the United States should be concerned about school security,” she said. “Apps are a good way to communicate and staff need to use the tools that are the best for them.”
However, she said the leak is concerning for her.
“That’s never a good thing to hear. It’s very disturbing anytime something is leaked, but if it didn’t get in the hands of anybody that’s going to do something bad with it that’s at least comforting to know,” Oliveri said.
Fowler said this is another reminder of the importance of cyber security. He said it’s important to not use the same password and use two-factor authentication.
WIRED first reported the data leak on Thursday.
