DEFCROS News reports:
Senators Maggie Hassan and Jim Banks are pressing for answers from Navigate360 following a cyberattack that reportedly compromised sensitive student data from school safety tip lines. The incident has raised significant concerns about the security of information intended to protect students and the integrity of the systems designed to facilitate anonymous reporting. This situation came to light amid growing scrutiny of cybersecurity measures in educational institutions.
Read more at DEFCROS News.
At the heart of concerns about the breach is that Navigate360 and its subsidiary, P3 Global Intel, assured those submitting tips that they would be anonymous and that the tips were stored securely, with encryption. The data released by the hacktivist suggests that neither claim was true. Anyone with access to the leaked dataset can see the names of the tipsters and their tips in plain text, without any password required.
Navigate360’s lack of transparency with the public about the breach has been noted by several news sites and journalists. Although the breach also affected Crime Stoppers organizations and mobile apps used by members of the military to submit anonymous tips, the senators’ questions focus solely on its impact on students and school personnel. Their April 24 letter asks Navigate360 to respond to the following questions by May 8:
- What cybersecurity protections does your company have in place to prevent malicious
actors from gaining access? How was the hacker able to circumvent these protections to
infiltrate your system?- What personally identifiable information was stolen in the data breach? Please clarify
whether relevant data related to students, staff, or schools.- How many individuals across the United States had their data compromised by the
cyberattack? Please provide a breakdown of the number of impacted individuals and
schools by state.- Are tips submitted through the P3 Global Intel platform fully anonymous, or is personally
identifiable information transmitted with the tip or stored in your systems?- How many Navigate360 employees have access to any personally identifiable
information stored in your systems? What safeguards does Navigate360 have to ensure
that personally identifiable information is not shared by employees without
authorization?- Has Navigate360 ever shared personally identifiable information that it collected through
P3 Global Intel with law enforcement, or due to a court order?- What assistance have you provided to states, school districts, and schools that were
impacted by the data breach, and what supports will you provide them moving forward?
Some details of the attack and the information exposed in the breach have been reported by DataBreaches.net, one of several individuals who received copies of the dataset from the hacktivist who acquired it.
