Chicago Public Schools (CPS) has suffered a data breach that compromised the personal information of 500,000 students and more than 56,000 employees. 

According to a statement released by CPS, the data compromised includes personally identifiable information (PII), such as names, date of birth, gender, grade level, school and district and state student ID numbers, as well as information about courses students tool and scores on tasks used to evaluate teaches between 2015 and 2019. Staff records compromised included names, school employee ID numbers and CPS email addresses. No Social Security numbers, financial information, health data, current course or schedule information, course grades or standardized test scores were breached. 

At this time, no evidence suggests the data has been “misused, posted or distributed,” CPS says. “According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused,” CPS explains. In addition, CPS will be offering 12 months of free credit monitoring and identity theft protection for students and teachers affected by the data breach. 

While CPS notes no Social Security information, home address or financial information was exposed, “enough data was exposed that would provide a leg up for bad actors looking to gain additional information, says Chris Hauk, consumer privacy champion at Pixel Privacy. “Students and faculty must remain on the alert for any phishing attempts that use the gleaned information to acquire additional information.”

CPS has blamed the data breach on nonprofit technology organization Battelle for Kids, which recently notified CPS that on December 2021, the company was the victim of a ransomware attack on a server used to store CPS student information for schools year 2015-2016, 2016-2017, 2017-2018, and 2018-2019. The tech vendor stores student course information and assessment data for teacher evaluations, CPS says. 

On a breach notification page, CPS notes it received a letter on April 26, 2022 “via U.S. mail” from Battelle for Kids, implying the organization had not provided any details as to which students or if staff information had been compromised. “Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Battelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter,” CPS states.

CPS notes that the contract with Battelle states that “CPS is to be notified of any data breach immediately” and is working to address “the delayed notification and other issues in the handling of data with Battelle for Kids.”

Education data breaches are on the rise. According to a Comparitech 2021 report, since 2005, K-12 school districts and colleges/universities across the US have experienced over 1,850 data breaches, affecting more than 28.6 million records. Third parties “can have a catastrophic effect on educational institutions and their data,” the report found. 

School districts and universities need to understand that they are high-profile targets and assume that a cyberattack is imminent, says Erfan Shadabi, cybersecurity expert at comforte AG. Shadabi recommends that the education industry and its leaders invest in a dynamic security awareness training program for both faculty and students to better identify security risks such as phishing emails and suspicious links. 

“And then, they need to protect their data not just with enhanced perimeter security but with data-centric security such as tokenization applied directly to that data,” Shadabi explains. “Only robust data-centric security can help mitigate the situation if the wrong hands get ahold of sensitive data.”