After their vendor, Battelle for Kids, was hit by ransomware in December, the Chicago Public Schools experienced a huge data breach that exposed the data of approximately 500,000 pupils and 60,000 employees.
Ohio-based Battelle for Kids is a non-profit educational organization that analyzes student data supplied by public school systems in order to create instructional models and assess teacher performance.
Battelle for Kid claims to collaborate with 267 school districts and has reached over 2.8 million students through its programs.
Chicago Public Schools suffers a massive data breach
The Chicago Public School (CPS) administration announced yesterday that a ransomware attack on Battelle for Kids on December 1st compromised the data of 495,448 kids and 56,138 workers across the district.
The school system collaborates with Battelle for Kids to upload student course information and assessment data for teacher evaluations, according to a CPS.
According to CPS, the data housed on Battelle for Kids’ servers covered the school years 2015 through 2019 and exposed personal information and evaluation scores of pupils.
“Specifically, during the school years 2015-2016, 2016-2017, 2017-2018, and/or 2018-2019, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations,” the CPS student data breach notification explains.
During the school years 2015-2016, 2016-2017, 2017-2018, and/or 2018-2019, threat actors may have had access to staff members’ names, schools, employee ID numbers, CPS email addresses, and Battelle for Kids usernames.
According to CPS, the hack did not expose any Social Security numbers, home addresses, health information, or financial data.
Any students or employees affected by the situation will receive free credit monitoring and identity theft protection from CPS. The CPS data breach portal produced by the school system has instructions on how to get this free credit reporting.
Disclosure took over four months
In April, Ohio school districts began sending out data breach warnings to kids and employees, informing them that their information had been compromised as a result of the ransomware assault on Battelle for Kids.
Despite the fact that CPS’ contract with Battelle for Kids states that a data breach must be reported immediately, they only learnt about the compromise four months later, on April 26th, 2022.
However, it wasn’t until May 11th that they discovered which pupils or staff members’ information had been compromised.
“The length of time it took Batelle for Kids to authenticate the validity of the intrusion through an independent forensic examination, and for law enforcement agencies to investigate the situation,” writes CPS on their data breach page.
While the ransomware gang responsible for this attack is unknown, all groups leave ransom notes on encrypted devices that provide email addresses or links to ransom negotiation sites.
Ransomware gangs frequently share proof of data theft as part of the extortion process, including a list of all stolen folders and, on rare occasions, individual files.
When a victim refuses to pay a ransom, the threat actors publicly admit to attacking them and start disclosing their stolen information.
A ransomware gang has not publicly stated that they infiltrated Battelle for Kids, which could indicate that Battelle for Kids paid a ransom demand.
In March, the New York City Department of Education revealed a similar but unrelated data breach, in which a vendor’s cyber attack compromised the data of 820,000 pupils.
