A massive data breach revealed four-year records of nearly 500,000 Chicago public school students and just under 60,000 employees, district officials said Friday.
The attack targets a company that has a non-bidding contract with the school’s teacher evaluation system and includes basic information – including students’ dates of birth – but no financial records or social security numbers, according to the CPS.
The district said there was no evidence that the data had been misused, published or disseminated, but offered the affected families a year of credit monitoring and protection against identity theft.
Teacher evaluation provider Battelle for Kids targeted a ransomware attack on December 1 last year, the county said. The CPS was notified by letter sent by post on April 26, but “there was no specific information on which students were affected, nor did the CPS know that staff information was also compromised until May 11.”
CPS officials said the district has begun informing affected families and staff and will also notify those whose records are not part of the violation “to reassure them.”
“We are addressing delayed notifications and other data processing issues with Battelle for Kids,” the district said. “Battelle for Children informed the CPS that the reason for the delayed notification to the CPS was the length of time it took Battelle to verify the authenticity of the violation through an independent forensic analysis and law enforcement to investigate.
“CPS includes strong language in all our contracts with suppliers to ensure the protection and security of personal information. We work to ensure that all providers who use CPS data handle this data responsibly and securely in accordance with their respective contracts to prevent the recurrence of such incidents. “
Other violations related to the hacking of Battelle for Kids were identified in April in school districts in Ohio, where personal data about students were revealed in 2011.
The CPS said the violation was “caused.” [and] exacerbated by BfK’s failure to comply with the information security requirements of their contract ‘, in particular the failure to encrypt data and clear old records. But the region has not terminated its contract with the company, a spokeswoman said.
Representatives of Battelle for Kids said in a statement on Friday that the company “immediately engaged a national cybersecurity company to assess the scope of the incident and take steps to mitigate the potential impact.” We have recently received findings and notified all affected school systems. “Battelle said she has since introduced stricter security protocols.
The company did not answer why it did not inform the CPS of the violation while the assessment was ongoing.
Exposed dates of birth, evaluations for evaluation
A total of 495,448 student records and 56,138 staff were available from the 2015-16 to 2018-2019 school years. Data include student names, schools, dates of birth, gender, CPS identification numbers, government student identification numbers, class schedule information, and results of course-specific grades used for teacher grades.
Staff data available for these years include names, employee identification numbers, school and course information, emails and usernames. CPS said the leaked server did not store any other records.
“There were no social security numbers, financial information, health data, current course or schedule information, no home addresses and course assessments, standardized test results or teacher assessments set out in the incident,” district officials said in a statement.
The FBI and Homeland Security have investigated the violation. And the company “monitors and will continue to monitor the Internet in case the data is published or disseminated,” the CPS said.
Contracts without bidding
CPS never sought bids when it hired Battelle for Kids, a relationship that began in 2012. The company was originally hired under then-CEO Jean-Claude Brizar, but has been retained by the four leaders who have led CPS ever since. .
The latest contract was signed in January – a month after the violation, but almost four months before the CPS said it had been notified – by CEO Pedro Martinez and interim CEO Charles Mayfield. It is estimated to reach $ 90,058 for the year ending January 31, 2023.
Between 2012 and 2020, the Board of Education paid $ 1.4 million to the Ohio-based company, according to an online database of payments to CPS providers. The database does not list payments for 2021 or 2022, and CPS staff did not provide the information on Friday.
Battelle for Kids has been hired to help district leaders run the CPS REACH Teacher Assessment Program. Teachers ‘assessments report an increase in students’ academic performance from year to year.
According to documents voted by the Education Council in January, Battelle must “connect teachers precisely with the students they teach and have administered tasks to implement REACH. This is a requirement to create accurate growth measures for teacher evaluation. “
Add Comment