CHICAGO — The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December. Still, officials said the vendor only reported it to the district last month.
The data breach occurred on December 1, and technology vendor Battelle for Kids notified CPS on April 26, the district said Friday. CPS said that a server that stored student and staff information was breached, and four years’ records were accessed.
According to CPS, 495,448 students and 56,138 employee records were opened from 2015-16 through 2018-2019. The data includes student names, schools, dates of birth, gender, CPS identification numbers, student state identification numbers, class schedule information, and scores on course-specific assessments used for teacher evaluations.
Employee data accessed during those years include names, employee identification numbers, school and course information, and emails and usernames.
CPS said the compromised server did not store any other data.
“There were no social security numbers, no financial information, no health records, no current course or schedule information, no home addresses, and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” the district said in a statement. Statement.
CPS said there is no evidence that the data was misused, posted, or distributed but offered affected families a year of credit monitoring and protection against identity theft.
CPS representatives said the district has notified affected families and staff and would also notify those whose records have not been accessed “to give them peace of mind”.
The FBI and the Department of Homeland Security have both investigated the breach, and the seller “monitors the Internet and will continue to monitor it in case the data is posted or distributed,” according to CPS.
Battelle for Kids was hired to assist district leaders in conducting CPS’s REACH teacher evaluation program. These evaluations take into account the annual growth in students’ academic performance.
CPS said it was notified of the breach by Battelle for Kids on April 26 via an emailed letter, but it “had no specific information about which students were affected, nor did CPS know that personnel information was at risk until May 11. brought.”
CPS said that because the contract with the supplier states that it must immediately notify the district of a data breach, it “is addressing the delayed notification and other data processing issues with Battelle for Kids.”
Battelle for Kids said in a statement to the Chicago Sun-Times Friday that the company “immediately engaged a national cybersecurity firm to assess the extent of the incident and took steps to mitigate its potential impact.”
The company said it has since established stronger security protocols but did not answer why it did not notify CPS of the breach while the review was underway.
CPS has been in a relationship with Battelle for Kids since 2012, the Chicago Sun-Times reported. The most recent contract was signed in January — a month after the breach — and was set to cost approximately $90,000 for a year ending January 31, 2023.
Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, the Sun-Times reported, citing an online database of CPS vendor payments.