Chicago Public Schools (CPS) was recently the target a large-scale data breach resulting in the exposure of data belonging to around 60,000 staff members and 500,000 students, after the institution’s vendor, known as Battelle for Kids, was hit by a ransomware assault back in December 2021.

Battelle for Kids is a non-profit educational organisation that analyses student information shared by American public-school systems to develop instructional models and evaluate the performance of teachers. Information from the Ohio-based vendor states that it currently works with 267 different school systems, with its services have reached almost three million students.

Extensive data leak for Chicago Public Schools

The CPS system disclosed that a ransomware attack that took place on December 1 last year compromised the Battelle For Kids data records of 495,448 students, along with 56,138 employees.

According to CPS, the educational system partners up with Battelle for Kids in order to upload students’ course data and assessment information for its evaluations.

CPS stated that the information stored on servers held by Battelle for Kids covered school years from 2015 to 2019 and exposed the students’ assessment scores and personal information.

In terms of information on staff exposed in the breach, it is believed that the threat actors behind the attacks potentially may have accessed names, schools, employee ID numbers, CPS email addresses, and their dedicated usernames for Battelle for Kids during the school years 2015 to 2016, 2016 to 2017, 2017 to 2018, and 2018 to 2019.

CPS was at least able to reassure its students and staff that no Social Security Numbers, health data, home addresses, or financial details were exposed during the attack. Additionally, victims of the breach are being awarded identity theft protection and credit monitoring.

Delayed breach disclosure

In April this year, school districts in Ohio started issuing data breach notifications to warn staff and students that their information was accessed in the Battelle for Kids ransomware attack.

While CPS states that its contract with the vendor requires instant notification of any data breach, it first learned of the incident four months after the attack, on April 26. Additionally, it was not until the following month in May that it learned specifically which staff members’ and students’ data was compromised.

The data breach page on its website explains that the reason for the delayed notification to CPS, as given by Battelle for Kids, was that it took some time for Battelle to confirm the breach’s authenticity. It required an independent forensic examination, as well as the involvement of law enforcement groups in investigating the breach.

Threat operators like ransomware gangs thrive on attacking organisations and institutions that provide key services, making vendors delivering support to the educational sector a prime target. It is vital for every school and college collaborating with third parties to ensure that they share a strong commitment to both data security and privacy.

No information is yet available on the operators behind the ransomware attack on Battelle for Kids.