CPS says ransomware attack affects nearly 500K students, 56K employees
A data breach has compromised personal information of nearly 500,000 students in Chicago Public Schools and more than 56,000 employees.
CPS released a statement Friday saying affected data included name, date of birth, gender, grade level, school and district and state student ID numbers, as well as information about courses students took and scores on tasks used to evaluate teachers during from 2015 to 2019. Staff records for which an unauthorized party gained access included name, school employee ID number and CPS email address, the district said.
“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident. Also, at this time, there is no evidence to suggest that this data has been misused, posted, or distributed,” CPS said.
CPS said the breach was a result of a ransomware attack on a technology vendor for CPS, Battelle for Kids, and occurred on a server used to store the CPS student and staff information.
The breach occurred last Dec. 1, the district said, but CPS was not notified by Battelle for Kids until April 26.
“CPS did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11, 2022,” the district said. “Battelle for Kids informed CPS that the reason for the delayed notification to CPS was the length of time that it took for Battelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities
to investigate the matter.
“Regardless, our contract with Battelle for Kids states that CPS is to be notified of any data breach immediately. We are addressing the delayed notification and other issues in the handling of data with Batelle for Kids,” CPS said.
A message left Friday for Battelle for Kids was not immediately returned. Its website says it’s a “national not-for-profit organization committed to collaborating with school systems and communities to realize the power and promise of 21st century learning for every student.”
CPS said it has a $90,000 contract with Battelle and that the organization “stores student course information and assessment data for the purposes of teacher evaluations.”
Affected families and staff can call 833-909-4007, go to cps.edu/databreach or email BFK-Breach-Info@cps.edu for more information.