Ransomware attack exposes information of hundreds of thousands of students and employees in Chicago Public Schools

More than half a million Chicago Public Schools (CPS) students and employees have had their sensitive information compromised due to a ransomware attack, which occurred in late 2021 but was not reported until April 2022. The attack targeted a server of Battelle for Kids, a technology provider that provides services to CPS. This compromised server was used to store student and staff information.

The records of 495,448 students and 56,138 staff members in 2015-2016 and 2018-2019 school periods are part of the leak; the information appears to include student and workers’ full names, dates of birth, gender, identification code, school schedules, and specific assessments.

CPS has confirmed that the compromised server did not store any more personal information: “There were no Social Security numbers, financial information, health data, or current course and schedule information.” They also assured there is no evidence to prove these records had been misused or linked online; nonetheless, CPS is offering affecting families a year of a credit monitoring and identity theft protection service.

Agents from the Federal Bureau of Investigation (FBI) and National Homeland Security (NHS) are already investigating the incident. In addition, Battelle for Kids has maintained continuous monitoring of its systems and various illegal hacking forums to identify a possible leak of the compromised data.

About the company under attack, Battelle for Kids was hired to implement CPS’s REACH teacher evaluation program. Those assessments take into account the growth in students’ academic performance each year. As mentioned above, CPS notified the incident through a letter sent in April 2022, adding that the specific number of exposed records was unknown.

Battelle for Kids notes that work began with a cybersecurity firm after detecting the incident; since then, the firm has implemented stricter security protocols for access to its computer systems, though its representatives have not mentioned the reasons why the incident was not immediately reported to CPS.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.