A massive data breach has exposed four years’ worth of records of nearly 500,000 Chicago Public Schools students and just under 60,000 employees, district officials said Friday.
The attack targeted a company that has a no-bid contract with the district for teacher evaluations and involved basic student and staff information, with no financial records or Social Security numbers stolen, according to CPS. The district said there is no evidence the data has been misused, posted or distributed.
The teacher evaluation vendor, Battelle for Kids, was targeted in a ransomware attack on Dec. 1 of last year, the district said. CPS was notified via a mailed letter on April 26, but “did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11.” Officials shared the news with principals in an emergency meeting Friday afternoon before details were released publicly.
CPS representatives said the district had begun informing affected families and staff and would also notify those whose records weren’t part of the breach “to provide them with peace of mind.”
“We are addressing the delayed notification and other issues in the handling of data with Batelle for Kids,” the district said. “Battelle for Kids informed CPS that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.
“CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.”
Other breaches related to the hacking of Battelle for Kids were identified in April at school districts in Ohio, where private student data was revealed as far back as 2011.
CPS said the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract,” more specifically failing to encrypt data and purge old records. But the district has not ended its contract with the company, a spokeswoman said.
Birthdates, assessment scores exposed
In all, 495,448 student and 56,138 employee records were accessed from school years starting in 2015-16 and through 2018-2019. The data included students’ names, schools, dates of birth, gender, CPS identification number, state student identification number, class schedule information and scores on course-specific assessments used for teacher evaluations.
Staff data accessed for those years included names, employee identification numbers, school and course information and emails and usernames. CPS said the breached server did not store any other information.
“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposedin this incident,” district officials said in a statement.
The FBI and Department of Homeland Security have both investigated the breach. And the company is “monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.
Battelle for Kids representatives didn’t respond to requests for comment.
CPS has never sought bids when awarding work to Battelle for Kids, a relationship which began in 2012. Initially the company was hired under then-CEO Jean-Claude Brizard but has been retained by the four leaders who have helmed CPS since then.
The most recent contract was signed in January by CEO Pedro Martinez and Interim Chief Procurement Officer Charles Mayfield. It’s supposed to top out at $90,058 for a year ending Jan. 31, 2023.
Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, according to an online database of CPS vendor payments. The database didn’t list 2021 or 2022 payments and CPS officials didn’t provide the information Friday.
Battelle for Kids was hired to help district leaders conduct CPS’ REACH teacher evaluation program. Teacher evaluations take into account the growth in students’ academic performance from year to year.
According to documents voted on by the Board of Education in January, Battelle is supposed to “accurately link teachers to the students they teach and to whom they administered REACH Performance Tasks. This is a requirement to produce accurate growth measures for teacher evaluation.”