A massive data breach uncovered four years of records for nearly 500,000 Chicago public school students and just under 60,000 employees, district officials said Friday.
The attack targeted a company that had a no-bid contract with the school system for teacher evaluation and involved basic information — including students’ dates of birth — but no financial records or social security numbers. , according to the CPS.
The district said there was no evidence the data was misused, published or distributed, but offered affected families one year of credit monitoring and identity theft protection.
Teacher assessment provider Battelle for Kids was the target of a ransomware attack on Dec. 1 of last year, the district said. CPS was notified by letter mailed on April 26, but “did not have specific information about the students involved, nor was CPS aware that staff information had also been compromised until ‘to May 11’.
CPS officials said the district has begun notifying affected families and staff and will also notify those whose records were not part of the breach “to provide them with peace of mind.”
“We are addressing late notification and other data processing issues with Batelle for Kids,” the district said. “Battelle for Kids informed CPS that the reason for the late notification to CPS was the time it took Batelle to verify the authenticity of the breach through independent forensic analysis, and the authorities law enforcement to investigate the matter.
“CPS includes strong language in all our contracts with suppliers to ensure the protection and security of personal information. We are working to ensure that all vendors who use CPS data treat this data responsibly and securely, in accordance with their respective contracts, to prevent this type of incident from happening again.
Other breaches related to the Battelle for Kids hack were identified in April in Ohio school districts, where private student data was exposed as early as 2011.
The CPS said the breach was “caused [and] exacerbated by BfK’s failure to comply with the information security terms of its contract,” specifically by failing to encrypt data and purge old records. But the district has not terminated its contract with the company, a spokeswoman said.
Representatives for Battelle for Kids did not respond to requests for comment.
Dates of birth, exposed assessment scores
A total of 495,448 student files and 56,138 employee files were consulted between the 2015-2016 and 2018-2019 school years. Data included student names, schools, dates of birth, gender, CPS ID numbers, state student ID numbers, class schedule information, and assessment scores course-specific data used for teacher evaluations.
Personnel data accessed for those years included names, employee ID numbers, school and course information, emails, and usernames. CPS said the hacked server does not store any other records.
“There was no social security number, no financial information, no health data, no current class or schedule information, no home address, and no class notes, standardized test scores, or assessment results. teachers exposed in this incident,” district officials said in a statement. .
Both the FBI and the Department of Homeland Security investigated the breach. And the company is “monitoring and will continue to monitor the internet in case the data is released or distributed,” CPS said.
Contracts without call for tenders
CPS never solicited bids when awarding work to Battelle for Kids, a relationship that began in 2012. Initially, the company was hired under then-CEO Jean-Claude Brizard, but was retained by the four executives who have led CPS since then.
The most recent contract was signed in January – a month after the breach but nearly four months before CPS said it was notified – by CEO Pedro Martinez and acting chief purchasing officer Charles Mayfield. It is supposed to reach $90,058 for a year ending January 31, 2023.
Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, according to an online database of CPS provider payments. The database does not list payments from 2021 or 2022 and CPS officials did not provide the information on Friday.
Battelle for Kids was hired to assist district leaders in conducting CPS’s REACH teacher assessment program. Teacher evaluations take into account the evolution of students’ academic performance from year to year.
According to documents voted by the Board of Education in January, Battelle is supposed to “establish a definite link between teachers and the students they teach and to whom they have administered the REACH performance tasks. This is a requirement to produce accurate growth measures for teacher evaluation.