Sandy Hook Promise and others use anonymous tips to prevent school shootings. Hackers exposed their data
The nonprofit Sandy Hook Promise sought to turn a tragedy into a force for good. Using tips to its “Say Something Anonymous Reporting System,” the group formed by parents of children who died in one of the nation’s most horrific school shootings said last year it had prevented 176 acts of violence at schools and other locations.
But those tips — and countless others — are no longer anonymous.
A recent hack of P3 Global Intel — the company that collects reports for Crime Stoppers programs, the military and more than 35,000 schools across the country — has exposed details about potential school shooters and bullies, as well as the people who informed on them.
The hack of P3, as exclusively revealed by Straight Arrow News last month, has raised serious concerns among many in the education space, given the exposure of personal information linked to tipsters and those being reported.
To make matters worse, the hacker group behind the breach, known as the Internet Yiff Machine, is now offering to sell the data cache on a cybercrime forum for $10,000. The group had previously provided the stolen tip information only to SAN and the nonprofit leak archiver DDosSecrets for reporting purposes.
And with uncertainty around how and whether victims in the breach will be warned, the identities of teachers, students and parents could soon fall into the hands of the highest bidder.
Sandy Hook Promise told SAN it is treating reports of the breach “with the utmost seriousness and believe that confidentiality, trust, and privacy of our community are paramount.”
However, the organization said, its anonymous reporting system “remains fully operational, and our National Crisis Center is standing by — as always, 24/7/365 — to respond to every tip that is submitted.”
Threats of shootings and suicide
An analysis by SAN shows the highly sensitive nature of the leak.
In one tip from 2018, an educator who describes herself as working directly with Sandy Hook Promise provided her name, phone number and email address when reporting a picture on Facebook “of a person in a clown mask holding a gun.”
The post, according to the tip, went on to warn students not to attend a specific high school the following day. An individual with Sandy Hook Promise responded some time after, stating that the organization was “looking into the issue to inform the proper authorities.”
SAN was able to confirm the identity of the tipster. Although she is no longer associated with the school mentioned in the tip, she continues to work in education. She did not respond to an email or a phone call from SAN, and it remains unclear if she’s aware that her name and other personal information were included in the data leak.
While cases related to firearms are present throughout the data, tips related to bullying and suicide appear most often. One record from 2024 even warns that the report should not be shared with anyone other than district officials and law enforcement.
“Upon request by a District Official, we will forward the report to the requested individual or school,” a comment in the data says. “Otherwise please DO NOT share the report with School Recipients.”
The report goes on to detail a high school student who had gone to an emergency room for a suicide attempt the previous year. After being sent to a “facility” in her state, the student returned to school and quickly expressed concern over a lack of support.
“She told me it was okay to report this because she wants to help make sure other kids who go to the psychiatric hospital get some sort of support upon their return to school,” the tipster wrote.
Decades of reports on sexual abuse
Allegations of inappropriate behavior by teachers are also present in the leaked data. A 2012 tip accuses a male teacher in Florida of “talking dirty to his students” by frequently discussing female body parts.
“They don’t want him as a teacher,” the tipster, who claimed to be a seventh-grader, said. “He is always staring at the girls and no one seems to care. Can you please help them?”
Notes from the individual receiving the tip, associated with Florida’s P3-powered “Speakout Hotline” reporting program, indicate that the police were informed of the incident.
As reported by DataBreaches.net, which recently published an analysis of the hacked data for IT professionals in the education sector, leaked tips sent to schools date back decades. A tip from 2003 detailed allegations that a babysitter had sexually molested a child two years earlier.
DataBreaches.net determined that based on the age of the child at the time of the tip, the alleged victim would now be 28. A search by the website for the alleged victim’s unique name quickly pulled up her social media profile and the same address as provided by the tipster more than two decades prior.
The website did not reach out to the woman to avoid bringing up past trauma.
‘In the dark’
It remains unclear how — or whether — Navigate360, the parent company of P3 Global Intel, will inform people exposed in the data breach.
Navigate360 previously told SAN that it was investigating the breach, but it did not respond to recent emails from SAN. On its website, Navigate360 says it “brings safety, student behavior, operations, and training together in a single ecosystem.”
Doug Levin, national director for the nonprofit cybersecurity firm K12 SIX, has been sounding the alarm about the data breach since SAN reported on it last month. Levin’s firm focuses on the education community and provides cybersecurity best practices to school IT teams.
“The P3 tip line application breach remains a deeply disturbing and challenging event for the K-12 education community,” Levin told SAN. “One month since the incident was first reported, victims — and the organizations that could support them — remain in the dark about the elevated risks they are facing.”
Levin says the education sector’s trust in Navigate360 “is being sorely tested” as the severity of the breach becomes more apparent.
“It appears there is a significant mismatch,” he said, “between the IT security practices associated with the application and the sensitivity of the data it collects and manages.”
Ella Rae Greene, Editor In Chief
