Chicago Public Schools’ Vendor Data Breach Compromises Data for 550,000 People

A massive data breach exposed data from 495,448 Chicago Public Schools (CPS) students and 56,138 employees.

Battelle for Kids, a teacher evaluation vendor that works for CPS, was hit by a ransomware attack on 1 December 2021, but it did not inform the school district about the attack until a letter on 26 April. Additional details—including more specific information about what data was compromised—were provided 11 May, according to the Chicago Sun-Times.

“We are addressing the delayed notification and other issues in the handling of data with Battelle for Kids,” the district said. “Battelle for Kids informed CPS that the reason for the delayed notification to CPS was the length of time that it took for Battelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.

“CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.”

Students’ basic information and dates of birth were compromised, but CPS said that financial records, health data, and Social Security numbers were not included in the breach. Employee data accessed included names, employee identification numbers, school and course information, emails, and usernames, according to the Associated Press. There is no evidence at this point that the data has been misused, posted, or distributed, but the school district is offering families a year of credit monitoring and identity theft protection, the Sun-Times reported.

For more information, including resources available to those impacted, FAQ's and more, please visit https://t.co/ZwSsHdHk11. pic.twitter.com/8MMh50tiIo

— CPS - Chicago Public Schools (@ChiPubSchools) May 20, 2022

The ransomware attack on Battelle for Kids also affected other schools, including districts in Ohio where private student data from as early as 2011 was revealed.

CPS said the breach was caused and exacerbated by the company’s failure to follow the information security terms of its contract—specifically failing to encrypt data and purge old records.

The ransomware threat against school districts and services has increased in recent years, especially after the broad shift to remote learning during the COVID-19 pandemic. In 2020, 1,600 schools in the United States were targeted by ransomware attacks, and nearly 60 percent were K-12 schools, Security Management reported in 2021.

“In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning,” according to an advisory from the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). “Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.”

Ransomware continued to be a major security and operational issue in 2021. We took a look at how the threat is impacting schools, many of which have turned to remote learning options during COVID-19: https://t.co/gEsg6l1JgQ

— Security Management (@SecMgmtMag) December 31, 2021

Malicious cyber actors likely view schools as “targets of opportunity” that are susceptible to attack and are likely to pay ransoms to get school systems back up and running, the advisory said.