Massive data breach reveals four-year history worth of records of nearly 500,000 Chicago public school students and just fewer than 60,000 employees, county officials said Friday.
attack targeting a company that has a non-bidding contract with school system for teacher assessments and participation basic information – including student dates of birth – but no financial social security records or numbers, according to CPS.
The county said there is no evidence that the data was misused. posted or distributed but offered to affected families year of credit monitoring and identification theft protection.
Teacher Assessment Provider, Battelle for Children, was targeted in ransomware attack on the 1st of December of last year, the district said. CPS has been notified via sent letter on April 26, but “had no specific information regarding which students were affected, as well as CPS know this staff information was also compromised before May 11.”
CPS officials said the county has begun informing affected families and staff and will also notify those whose entries were not part of of violation of “provide them with world of intelligence.”
“We are dealing with notification delays and other issues in treatment of data with battel for Children,” the district said. “Battel for The children told CPS that reason for the delayed CPS notification was the duration of the time when it took for Battelle for authentication of breach through independent forensic analysis, and for law enforcement agencies to investigate the case.
“CPS includes strong language in all of our suppliers enter into contracts for ensure in protection and security of private information. We are working on ensure all suppliers who use CPS data handles this data responsibly and securely in agreement with their respective contracts to prevent this kind of of incident ever again”.
Other violations related to hacking of battel for The children have been identified in April in school districts in Ohio where private student data has been disclosed so far back as of 2011.
The CPS stated that the violation was “caused [and] exacerbated by BfK failure to follow in information security terms of their contract.” more in particular, it failed to encrypt data and clear old records. But the district didn’t finish his contract with company, a spokeswoman said.
battel for Children’s representatives said in Friday’s announcement that the company “immediately hired national cybersecurity firm to assess scope of incident and took steps to mitigate potential impact. We have recently received the results and notified all affected school systems.” Battelle said that since then in place more robust security protocols.
The company did not answer why they did not inform CPS of violations during the assessment.
Dates of birth, estimate scores unprotected
Total 495 448 student and 56 138 employee entries were available from the 2015-16 to 2018-2019 school years. The data included student names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information and scores on Used course grades for teacher evaluations.
Access to personal data for in those years there were names employee identification numbers, school and course information and emails and usernames. CPS reported that the hacked server was not store any other entries.
“There were no social security numbers, no financial information no health data, no current course or schedule informationno home addresses and without course grades, standardized test scores or teacher score scores exposed in this incident,” the district authorities said. in statement.
FBI and Department of The National Security Service was investigating the leak. And the company “monitors and will continue to monitor the Internet.” in if data posted or distributed,” CPS said.
Contracts without bidding
CPS never asked for bids when awarding work to Battelle for Children, the relationship that started in 2012. The company was originally hired by then-CEO Jean-Claude Brizard but was retained by the four leaders. who since then they have led the CPS.
The last contract was signed in January – a month after the hack, but almost four months before the CPS says CEO Pedro Martínez and Acting Purchasing Director Charles Mayfield were notified. It should be on top out priced at $90,058 for a year ending January 31, 2023
Between 2012 and 2020 the Council of The Ohio-based company paid $1.4 million, according to Education. online database of ATP provider payments. The database is not list 2021 or 2022 payments and CPS officials did not provide information Friday.
battel for The children were hired help District Leaders Evaluate CPS REACH Teachers program. Teacher grades take into account growth in student academic performance from year to year.
Voted according to the documents on Council of Education in In January, Battelle is to “accurately connect teachers to the students they teach and to whom they have given REACH Performance Tasks. This is necessary to obtain accurate growth measures for teacher evaluation.
