500,000 Chicago Students’ Data Exposed in Ransomware Attack
Battelle for Kids, Chicago Public Schools’ Vendor Experienced a Ransomware Attack.
The Chicago Public Schools (CPS), are located in Chicago, Illinois, and are the third biggest school system in the United States. Only the Los Angeles Unified School System, which is the nation’s second-biggest school district, and the New York City Public Schools are larger than the Chicago Public Schools (CPS) (which is the largest school district in the US).
CPS reported having oversight over 638 schools for the 2020–2021 school year, including 476 elementary schools and 162 high schools. Of these schools, 513 were district-run schools, 115 were charter schools, 9 were contract schools, and 1 was a SAFE school. The school district has a total enrollment of 340,658 pupils.
Chicago Public Schools’ vendor, Battelle for Kids, experienced a ransomware assault in December, exposing the data of roughly 500,000 children and 60,000 employees.
CPS announced that a ransomware attack on Battelle for Kids compromised the data of 495,448 kids and 56,138 workers. CPS works with Battelle for Kids to submit course and assessment data for teacher evaluations and said the data exposed children’s personal information and test results from 2015 to 2019.
Chicago Public Schools was recently made aware of a data security incident involving one of our vendors that may have impacted your child, [STUDENTNAME], and their personal information between 2015 and 2019.
This letter contains information about the incident, our response, steps to safeguard your child’s information, and safety measures that have been put in place to assure the security of information in the future. At this time, there is no evidence to suggest that this data has been misused or distributed.
A technology vendor for CPS called Battelle for Kids recently notified CPS that on December 1, 2021, Battelle for Kids was the victim of a ransomware attack on a server used to store CPS student information for school years 2015-2016, 2016-2017, 2017-2018 and 2018-2019. Battelle for Kids is a nonprofit technology organization that stores student course information and assessment data for the purposes of teacher evaluations.
Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019. The server did not store any other information about your child.
No Social Security numbers, no financial information, no health data, no current course or schedule information, and no course grades or standardized test scores were involved in this incident. This incident has been reported to and investigated by the appropriate law enforcement authorities, including the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS).
Battelle for Kids is currently monitoring and will continue to monitor the internet in case the data is posted or distributed. We can report that as of this time, there is no evidence to suggest that this data has been misused, posted, or distributed. According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused. Although the data that was inappropriately accessed did not include any financial information or your child’s Social Security number, we know that you may be concerned about fraudulent activity on your child’s behalf.
Any students or staff members who have been affected will get free identity theft protection as well as credit monitoring services from CPS.
It is unknown which ransomware gang was responsible for this assault; however, the majority of ransomware gangs leave ransom notes behind on encrypted devices. These ransom notes provide email addresses or a way to connect to the websites where ransom payments may be negotiated.
As BleepingComputer reports, there has been no public statement made by a ransomware group declaring that they hacked Battelle for Kids, which may indicate that Battelle for Kids complied with a ransom demand and paid the demanded amount.