School security company has a cybersecurity breach.

[Rapt0rHunter]

Summary

A school cybersecurity company Raptor Technologies had a security breach containing sensitive information. 

 

Quotes

Quote

 Experts have uncovered a significant data breach involving a non-password-protected database containing more than four million records, totalling around 827GB, concerning private school data.

 

While reviewing a sample of the documents, Fowler discovered school layouts, information about malfunctioning cameras and security gaps, background checks, student health information, court-ordered protection orders, and more.

 

My thoughts

 I'm no cybersecurity expert, but to have extremely sensitive information in a non-password-protected database, especially pertaining to schools, is absolutely insane.

 It also shows that a cybersecurity breach can be as simple as "we didn't put a password on it and someone got in."

 

Sources

https://www.techradar.com/pro/security/school-software-breach-reveals-private-data-on-millions-of-users

[TempestCatto]

This shows how damn lazy these companies really are. Surely it can't cost that much to actually secure the data, right?

[venomtail]

I still remember breaking out school admin so I installed 1.6 for everyone and we had a lan party for 2h which was meant to be a double IT lesson :DD

 

Everything got shut down when a different dude started messing with some Adobe app and found an admin backdoor. IT department launched the nuke option, everything was down for 2 days and we no longer had a way to play 1.6  

 

mf should have stopped fiddling with that Adobe app when I told him.

[Skiiwee29]

Is it bad that I have largely become desensitized to breaches? They're going to happen no matter what honestly. My mantra is not IF, but WHEN will breaches happen. 

[Murasaki]

2 minutes ago, Skiiwee29 said:

Is it bad that I have largely become desensitized to breaches? They're going to happen no matter what honestly. My mantra is not IF, but WHEN will breaches happen. 

Same and honestly thats not a good thing since the more people get desensitized to it the more in general nobody will care.

[manikyath]

39 minutes ago, Rapt0rHunter said:

to have extremely sensitive information in a non-password-protected database

you know.. you'd think people have the ability to learn from others' mistakes.. but i've been hearing this exact news for several years now.. and it keeps happening.

[RollinLower]

17 minutes ago, Skiiwee29 said:

Is it bad that I have largely become desensitized to breaches? They're going to happen no matter what honestly. My mantra is not IF, but WHEN will breaches happen. 

nothing is 100% secure. now it's bad, but if we ever enter the quantum age of computing we might aswell just view everything we ever put on a network as public.

[Agall]

I'm no SQL admin, but is having no password protection for a database mean there were no read protection based on user permissions and such? As in the database had 'Everyone' read access?

[leadeater]

13 minutes ago, Agall said:

I'm no SQL admin, but is having no password protection for a database mean there were no read protection based on user permissions and such? As in the database had 'Everyone' read access?

Don't assume it was even SQL. Sounds like "database" is being used very loosely here since they are talking about viewing documents etc. Odds are it's a document repository not "a database".

[thevictor390]

45 minutes ago, venomtail said:

I still remember breaking out school admin so I installed 1.6 for everyone and we had a lan party for 2h which was meant to be a double IT lesson :DD

 

Everything got shut down when a different dude started messing with some Adobe app and found an admin backdoor. IT department launched the nuke option, everything was down for 2 days and we no longer had a way to play 1.6  

 

mf should have stopped fiddling with that Adobe app when I told him.

I had free reign during all of middle school, Safari on OS X Tiger had an exploit where you could click a URL protocol that opened the Script Editor and it would ignore permissions on Script Editor itself. Then you can write a script to open whatever app you want, still bypassing permissions.

[Agall]

Just now, leadeater said:

Don't assume it was even SQL. Sounds like "database" is being used very loosely here since they are talking about viewing documents etc. Odds are it's a document repository not "a database".

I'm asking in general because I'm not a SQL admin, but I am the rest  

[leadeater]

14 minutes ago, Agall said:

I'm asking in general because I'm not a SQL admin, but I am the rest  

ah ok, well every major database engine has RBAC security schemes and can even go down to table and row level security. You can grant 'everyone' the ability to access a database but it's not default and there isn't really any reason why someone would. Typically public unauthenticated access is done through a web front end and the web server uses a configured service account with read access.

 

Databases as such don't "have passwords", Identity, Authentication and Authorization security model is used which could be Active Directory or just locally defined usernames and password in the database engine itself. Accounts or groups are granted access to specific resources which aren't even necessarily the entire database.

[Agall]

8 minutes ago, leadeater said:

Databases as such don't "have passwords", Identity, Authentication and Authorization security model is used which could be Active Directory or just locally defined usernames and password in the database engine itself. 

See, this is my understanding as a sys/network admin. Then different areas of the database have respective local/domain permissions but still 'password protected' in some way by default.

 

" Experts have uncovered a significant data breach involving a non-password-protected database containing more than four million records"

 

Where this statement confuses me on how a database isn't 'password protected', which I assume to be that there were just no access restrictions based on credentials. Either that, or there was simply a service account with default credentials they exploited. 

[wanderingfool2]

1 hour ago, leadeater said:

Don't assume it was even SQL. Sounds like "database" is being used very loosely here since they are talking about viewing documents etc. Odds are it's a document repository not "a database".

"Database"...i.e. Cloud storage buckets that weren't password protected, which by the sounds of it contained files.

 

https://www.vpnmentor.com/news/report-raptortech-breach/

This I think is a lot better breakdown though.  Honestly it really sounds like it's another one of these accidently set the cloud storage to public

 

Sounds like it was a database file that was exposed, as they mention blobs being the bulk of the exposure (with other production documents as well).  

[leadeater]

2 hours ago, Agall said:

Where this statement confuses me on how a database isn't 'password protected'

Because it isn't a database. It's just usage of the wrong word and nothing else really. Since it's more likely a document repository then it's something like SharePoint, S3 Bucket, Web Frontend of some kind. What it won't be is actually a database.  

[leadeater]

1 hour ago, wanderingfool2 said:

"Database"...i.e. Cloud storage buckets that weren't password protected, which by the sounds of it contained files.

lol I had guessed it was likely S3 buckets, ughhh this is not the first time the exact same thing has happened.

[Agall]

1 minute ago, leadeater said:

Because it isn't a database. It's just usage of the wrong word and nothing else really. Since it's more likely a document repository then it's something like SharePoint, S3 Bucket, Web Frontend of some kind. What it won't be is actually a database.  

I had considered that, just SMB location without specific permissions, which I imagine might've not been set properly for least privileges.

[Bitter]

What's silly about all of this is say someone found this and tried to report it, they'd probably be charged with a crime for unauthorized access of the materials even though they did nothing wrong. What we need are liabilities and criminal charges for not securing data in the first place. At least a minimum low bar to meet or else.

[DEERMYSTER]

I can't say too much regarding this. However, I am the Technology Director of a school district that uses Raptor. We were notified that our data was part of the Exposure. I will say so far communication from Raptor has been zero beyond initial notification and they have not provided us any more details than what you know. We have yet to even receive a response from our internal sales rep in the company. It certainly is a frustrating situation. Especially since we have a data privacy agreement with this company that governs situations such as these.

[leadeater]

2 hours ago, DEERMYSTER said:

I can't say too much regarding this. However, I am the Technology Director of a school district that uses Raptor. We were notified that our data was part of the Exposure. I will say so far communication from Raptor has been zero beyond initial notification and they have not provided us any more details than what you know. We have yet to even receive a response from our internal sales rep in the company. It certainly is a frustrating situation. Especially since we have a data privacy agreement with this company that governs situations such as these.

That's certainly frustrating for sure but I do understand why they don't want to be saying anything too quickly. Personal details about minors, medical information, court protection order information, criminal background information are part of this and they all have heavy regulatory and compliance around them so basically everything will be going through legal representation and advice first. Sadly that also means details you might want to know will be withheld for a while or indefinitely. 

 

This will be Raptor Technologies' worst day as a company so far, hopefully ever. But it could probably get worse because in my opinion they should be called in front of some kind of review panel and grilled, very hard.

[wanderingfool2]

6 hours ago, leadeater said:

This will be Raptor Technologies' worst day as a company so far, hopefully ever. But it could probably get worse because in my opinion they should be called in front of some kind of review panel and grilled, very hard.

I could see them being pulled in, then using a scapegoat employee to deflect blame and then increase contract prices with the government to allow for "better" securing of data that isn't cloud related (or trying to pin it on cloud companies that allows the data to be so "easily" made to public).

 

Honestly though, I'm scared of the day when one of these cloud providers ends up with a vulnerability that exposes all non-encrypted data stored on their servers.

 

 

Sounds like this data though is going to get them at least in hot water...with some of the information being plans where the kids would likely run in active shooter situations (i.e. if a shooter had gotten their hands on those plans they could maximize terror and exploit the plans against them)

[williamcll]

Someone is having a lot of fun selling exam answers on the dark web.

[leadeater]

2 hours ago, wanderingfool2 said:

Sounds like this data though is going to get them at least in hot water...with some of the information being plans where the kids would likely run in active shooter situations (i.e. if a shooter had gotten their hands on those plans they could maximize terror and exploit the plans against them)

That's actually not that serious information, the "what to do" in those situations is pretty standard and easily found information. Health information about minors is easily the most serious of anything, that's HIPAA breach hard core mode. If you want the book thrown at you almost nothing works better than "won't somebody think of the children"

[Bitter]

30 minutes ago, leadeater said:

That's actually not that serious information, the "what to do" in those situations is pretty standard and easily found information. Health information about minors is easily the most serious of anything, that's HIPAA breach hard core mode. If you want the book thrown at you almost nothing works better than "won't somebody think of the children"

Dumb question? Why isn't/wasn't sensitive information like that encrypted?

[leadeater]

25 minutes ago, Bitter said:

Dumb question? Why isn't/wasn't sensitive information like that encrypted?

Well there are multiple factors to that, first being it very well could have been but since access was gained through the regular system access from a valid account (this case everyone/public) the ability to read was there. This would be encryption at rest or storage encryption etc. Something like that, rather than file encryption.

 

Realistically it'll be document scans of actual paperwork or external digital documents and the storage buckets are either temporary location used for file uploads in to the system or where those files actually get stored. More often than not since the location of where that data is stored is supposed to be secured you don't do file level encryption and it wouldn't actually help in a data breach through the application itself since the application would have the keys to decrypt.

 

The what and why is actually a lot more complicated than it may seem much of the time. Some things you'd think would help won't necessarily, it's all a big "it depends" and without information it's difficult to make any judgement calls.

 

I know the most widely used Student Manage System in my country used an SMB share for it's file upload temporary location and it wasn't really cleaned out in any special or automated way that I could tell, or at least not often enough anyway. Their systems were hosted by my work and I had full admin access to all their servers and databases as well as being responsible for all their data backups. We were also their technical support for server issues etc since it was all hosted by us and even joined to our Active Directory. We no longer host their systems though, haven't for a number of years, was very glad to see them go, very. Their software archecture and system archecture was not on the top end of data security and had some quite serious risk factors like that SMB share which had all the same documents and information in there from this story.

 

Obviously I'm not going to name names but all going well the data was secure but the issue was if for any reason things were not "all going well" even temporarily the potential exposure was very serious. It was something I noted to them a few times.