The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.
The data breach occurred Dec. 1 and technology vendor Battelle for Kids notified CPS April on 26, the district said Friday. A server used to store student and staff information was breached and four years’ worth of records were accessed, CPS said.
In total, 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years, CPS said. The data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations.
Employee data accessed for those years included names, employee identification numbers, school and course information and emails and usernames.
CPS said the breached server did not store any other records.
“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” the district said in a statement.
CPS said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection.
CPS representatives said the district has been informing affected families and staff and would also notify those whose records weren’t accessed “to provide them with peace of mind.”
The FBI and Department of Homeland Security both investigated the breach and the vendor is “monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.
Battelle for Kids was hired to help district leaders conduct CPS’ REACH teacher evaluation program. Those evaluations take into account the growth in students’ academic performance each year.
CPS said it was notified of the breach by Battelle for Kids via a mailed letter on April 26, but it “did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11.”
CPS said that because its contract with the vendor states that it should immediately notify the district of any data breach, it is “addressing the delayed notification and other issues in the handling of data with Battelle for Kids.”
Battelle for Kids said Friday in a statement to the Chicago Sun-Times that the company “immediately engaged a national cybersecurity firm to assess the scope of the incident and took steps to mitigate the potential impact.”
The company said it has since put in place stronger security protocols but did not answer why it did not inform CPS of the breach while the assessment was underway.
CPS has had a relationship with Battelle for Kids since 2012, the Chicago Sun-Times reported. The most recent contract was signed in January — a month after the breach — and is supposed to top out at about $90,000 for a year ending Jan. 31, 2023.
Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, the Sun-Times reported, citing an online database of CPS vendor payments.