Chicago Public Schools (CPS) has revealed that nearly half a million students and over 50,000 staff members have fallen prey to a massive data breach involving the theft of personal information via a ransomware attack.
The stolen student records span a four-year period from 2015 to 2019 and include name, date of birth, gender, grade level, school, student ID number, information about the courses students had taken, and student scores from performance tasks used for teacher evaluations.
The staff records that were involved in the breach include name, school, employee ID number, CPS email address, and information about courses taught during the four-year span.
CPS said that no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, no course grades, no standardized test scores, and no teacher evaluation scores were part of the security breach.
"According to data security experts, including law enforcement, the lack of financial information contained in the data decreases the likelihood that the data will be misused," Wagner wrote.
Wagner said the incident has been reported to law enforcement, including the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), and is now under investigation.
"Battelle for Kids is currently monitoring and will continue to monitor the internet in case the data is posted or distributed," Wagner wrote.
CPS said that the vendor, Battelle for Kids, had taken mitigation measures to reduce the likelihood of similar data breaches in the future, including enhancing network security and hiring a third-party security firm to provide "up-to-date defenses and industry-leading practices" in terms of cybersecurity.
"Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system," reads the joint advisory, released by agencies from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom.
The cybersecurity alert includes guidance to mitigate vulnerabilities such as poor security controls, weak security configurations, and bad practices that are routinely exploited by threat actors.
Mitigation measures include ramping up the use of multi-factor authentication and the use of dedicated administrative workstations for privileged user sessions, while limiting the ability of local administrator accounts to log in remotely.