A massive data breach has exposed four years’ worth of records of nearly 500,000 Chicago Public Schools students and just under 60,000 employees, district officials said Friday.
The attack targeted a company that has a no-bid contract with the school system for teacher evaluations and involved basic information — including students’ dates of birth — but no financial records or Social Security numbers, according to CPS.
The district said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection.
The teacher evaluation vendor, Battelle for Kids, was targeted in a ransomware attack on Dec. 1 of last year, the district said. CPS was notified via a mailed letter on April 26, but “did not have specific information as to which students were affected, nor did CPS know that staff information was also compromised until May 11.”
CPS representatives said the district had begun informing affected families and staff and would also notify those whose records weren’t part of the breach “to provide them with peace of mind.”
“We are addressing the delayed notification and other issues in the handling of data with Battelle for Kids,” the district said. “Battelle for Kids informed CPS that the reason for the delayed notification to CPS was the length of time that it took for Battelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.
“CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.”
Other breaches related to the hacking of Battelle for Kids were identified in April at school districts in Ohio, where private student data was revealed as far back as 2011.
CPS said the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract,” more specifically failing to encrypt data and purge old records. But the district has not ended its contract with the company, a spokeswoman said.
Battelle for Kids representatives said in a statement Friday that the company “immediately engaged a national cybersecurity firm to assess the scope of the incident and took steps to mitigate the potential impact. We have recently received findings and notified all impacted school systems.” Battelle said it has since put in place stronger security protocols.
The company did not answer why it didn’t inform CPS of the breach while the assessment was underway.
Birthdates, assessment scores exposed
In all, 495,448 student and 56,138 employee records were accessed from the 2015-16 through 2018-2019 school years. The data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations.
Staff data accessed for those years included names, employee identification numbers, school and course information and emails and usernames. CPS said the breached server did not store any other records.
“There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident,” district officials said in a statement.
The FBI and Department of Homeland Security have both investigated the breach. And the company is “monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.
No-bid contracts
CPS has never sought bids when awarding work to Battelle for Kids, a relationship which began in 2012. Initially the company was hired under then-CEO Jean-Claude Brizard but has been retained by the four leaders who have helmed CPS since then.
The most recent contract was signed in January — a month after the breach but nearly four months before CPS says it was notified — by CEO Pedro Martinez and Interim Chief Procurement Officer Charles Mayfield. It’s supposed to top out at $90,058 for a year ending Jan. 31, 2023.
Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, according to an online database of CPS vendor payments. The database didn’t list 2021 or 2022 payments and CPS officials didn’t provide the information Friday.
Battelle for Kids was hired to help district leaders conduct CPS’ REACH teacher evaluation program. Teacher evaluations take into account the growth in students’ academic performance from year to year.
According to documents voted on by the Board of Education in January, Battelle is supposed to “accurately link teachers to the students they teach and to whom they administered REACH Performance Tasks. This is a requirement to produce accurate growth measures for teacher evaluation.”