Chicago Public Schools (CPS) has revealed that nearly half a million students and over 50,000 staff members have fallen prey to a massive data breach involving the theft of personal information via a ransomware attack.
A technology vendor for CPS called Battelle for Kids notified the school district that, on Dec. 1, 2021, an unauthorized party gained access to 495,448 student records and 56,138 staff records, according to a May 20 statement from CPS.
The stolen student records span a four-year period from 2015 to 2019 and include name, date of birth, gender, grade level, school, student ID number, information about the courses students had taken, and student scores from performance tasks used for teacher evaluations.
The staff records that were involved in the breach include name, school, employee ID number, CPS email address, and information about courses taught during the four-year span.
CPS said that no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, no course grades, no standardized test scores, and no teacher evaluation scores were part of the security breach.
Edward Wagner, acting chief information officer at CPS, said in a letter to parents (pdf) that there is no evidence at this time that suggests the stolen data has been misused or provided to other parties.
“According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused,” Wagner wrote.
Wagner said the incident has been reported to law enforcement, including the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), and is now under investigation.
“Battelle for Kids is currently monitoring and will continue to monitor the internet in case the data is posted or distributed,” Wagner wrote.
CPS said that the vendor, Battelle for Kids, had taken mitigation measures to reduce the likelihood of similar data breaches in the future, including enhancing network security and hiring a third-party security firm to provide “up-to-date defenses and industry-leading practices” in terms of cybersecurity.
It comes as multiple national cybersecurity authorities earlier this week revealed the top ten cyber attack vectors most commonly used by criminals to breach networks.
“Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system,” reads the joint advisory, released by agencies from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom.
The cybersecurity alert includes guidance to mitigate vulnerabilities such as poor security controls, weak security configurations, and bad practices that are routinely exploited by threat actors.
Mitigation measures include ramping up the use of multi-factor authentication and the use of dedicated administrative workstations for privileged user sessions, while limiting the ability of local administrator accounts to log in remotely.