The Chicago Public Schools has suffered a massive data breach that exposed the data of almost 500,000 students and 60,000 employee after their vendor, Battelle for Kids, suffered a ransomware attack in December.
Ohio-based Battelle for Kids is a not-for-profit educational organization that analyzes student data shared by public school systems to design instructional models and evaluate teacher performance.
Battelle for Kid says they work with 267 school systems, and its programs have reached over 2.8 million students.
Massive data breach for Chicago Public Schools
Yesterday, the Chicago Public School (CPS) district disclosed that a December 1st ransomware attack on Battelle for Kids exposed the stored data of 495,448 students and 56,138 employees in its school system.
According to a CPS, the school system partners with Battelle for Kids to upload student course information and assessment data for teacher evaluations.
CPS says that the data stored on Battelle for Kids’ servers was for school years 2015 through 2019 and exposed students’ personal information and assessment scores.
“Specifically, an unauthorized party gained access to your child’s name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses your student took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019,” explains the CPS student data breach notification.
For staff, the threat actors potentially accessed their name, school, employee ID number, CPS email address, and Battelle for Kids username during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.
CPS says that no Social Security Numbers, home addresses, health data, or financial information was exposed in the attack.
CPS is providing free credit monitoring, and identity theft protection to any students or staff members impacted. Instructions on how to access this free credit reporting can be found on the CPS data breach page created by the school system.
Over four months to disclose breach
In April, Ohio school districts began issuing data breach notifications warning…