Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Breach Exposed Data of Half-Million Chicago Students, Staff

The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.

The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.

The data breach occurred Dec. 1 and technology vendor Battelle for Kids notified CPS April on 26, the district said Friday. A server used to store student and staff information was breached and four years’ worth of records were accessed, CPS said.

In total, 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years, CPS said. The data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations.

Employee data accessed for those years included names, employee identification numbers, school and course information and emails and usernames.

CPS said the breached server did not store any other records.

“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” the district said in a statement.

CPS said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection.

CPS representatives said the district has been informing affected families and staff and would also notify those whose records weren’t accessed “to provide them with peace of mind.”

Advertisement. Scroll to continue reading.

The FBI and Department of Homeland Security both investigated the breach and the vendor is “monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.

Battelle for Kids was hired to help district leaders conduct CPS’ REACH teacher evaluation program. Those evaluations take into account the growth in students’ academic performance each year.

CPS said it was notified of the breach by Battelle for Kids via a mailed letter on April 26, but it “did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11.”

CPS said that because its contract with the vendor states that it should immediately notify the district of any data breach, it is “addressing the delayed notification and other issues in the handling of data with Battelle for Kids.”

Battelle for Kids said Friday in a statement to the Chicago Sun-Times that the company “immediately engaged a national cybersecurity firm to assess the scope of the incident and took steps to mitigate the potential impact.”

The company said it has since put in place stronger security protocols but did not answer why it did not inform CPS of the breach while the assessment was underway.

CPS has had a relationship with Battelle for Kids since 2012, the Chicago Sun-Times reported. The most recent contract was signed in January — a month after the breach — and is supposed to top out at about $90,000 for a year ending Jan. 31, 2023.

Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, the Sun-Times reported, citing an online database of CPS vendor payments.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...