The personal information of more than half a million Chicago Public Schools students and staff was compromised in a ransomware attack last December, but the vendor didn’t report it to the district until last month, officials said.
The data breach occurred December 1 and technology vendor Battelle for Kids notified CPS April on 26, the district said Friday.
A server used to store student and staff information was breached and four years’ worth of records were accessed, CPS said.
In total, 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years, CPS said.
The data included students’ names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on course-specific assessments used for teacher evaluations.
Employee data accessed for those years included names, employee identification numbers, school and course information and emails and usernames.
CPS said the breached server did not store any other records.
There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposed in this incident, the district said in a statement.
CPS said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection.
CPS representatives said the district has been informing affected families and staff and would also notify those whose records weren’t accessed to provide them with peace of mind.
The FBI and Department of Homeland Security both investigated the breach and the vendor is monitoring and will continue to monitor the internet in case the data is posted or distributed,” CPS said.
Battelle for Kids was hired to help district leaders conduct CPS’ REACH teacher evaluation program.
Those evaluations take into account the growth in students’ academic performance each year.
CPS said it was notified of the breach by Battelle for…