Some 4 million records, including school shooter emergency plans, have been exposed online in the latest case of unsecured cloud storage.

Discovered by security researcher Jeremiah Fowler and detailed today by vpnMentor, the exposed cloud instance was found to belong to Raptor Technologies LLC, a Texas-based school security company. Fowler found three separate storage buckets that included sensitive information related to students, teachers, parents and school safety plans or procedures.

The documents viewed by Fowler included school incident response plans, layouts of schools and classrooms and notes on infrastructure challenges like malfunctioning cameras or security gaps. Other files contained details on background check systems with names and information about at-risk students, highlighting their personal and medical conditions, mental health or legal issues and potential threats they could pose to the school.

Fowler also found PDF files and images of court-ordered protection orders, divorce decrees and other official legal documents. The documents included records of monthly drills and detailed accounts of incidents or noncompliance with safety protocols reported by school staff.

Raptor Technologies offers solutions, including a visitor management system that allows schools to track and screen visitors, volunteers and contractors. The system checks to make sure they are not listed on any sex offender registries or watchlists or have any other known risk factors associated with them. The company is also said to offer emergency management tools that enable schools to identify and respond to emergencies, including attendance tracking, drills and other systems for crisis management.

The only good news from the story is that Raptor responded quickly after Fowler sent a responsible disclosure notice to the company, removing public access to the cloud instance a day after receiving the notice.

The exposure, though, does raise concerns, particularly given the uniquely American issue of mass school shootings. Fowler noted that detailed school layouts, security plans and information about at-risk students could be dangerously misused if they fall into the wrong hands. The availability of such detailed information could potentially assist wannabe school shooters in planning and executing attacks by exploiting known vulnerabilities and security gaps.

The release of personal and medical information of students and staff also violates privacy and could lead to identity theft, bullying or discrimination. The incident highlights the need for stringent cybersecurity measures in schools to protect against digital and physical threats, ensuring the safety and privacy of students and staff in educational environments.

Image: DALL-E 3