Dive Brief:
- Nonprofit ed tech provider Battelle for Kids informed Chicago Public Schools on May 11 it was the victim of a ransomware attack on Dec. 1 that compromised data from 495,448 student and 56,138 staff records, according to a CPS statement released Friday.
- Compromised information from the data breach included students’ names, dates of birth, genders, grade levels, schools, district and state identification numbers, information about courses taken, and scores from performance tasks used for teacher evaluations during school years 2015-2016 through 2018-2019.
- The vendor maintains that no recent evidence suggests this data has been misused, posted or distributed, according to an emailed statement from Battelle for Kids, which stores student course information and assessment data for teacher evaluations covering over 2.2 million students. CPS also said no social security numbers, financial information, health data, course grades, current class schedules or home addresses were compromised.
Dive Insight:
Within the past two months, two of the nation's five largest school districts have experienced a significant data breach via a vendor, said Doug Levin, national director of K12 Security Information Exchange, or K12 SIX, a nonprofit organization that aims to protect schools from cybersecurity threats.
In March, the New York City Department of Education said 820,000 current and former public school students’ personally identifiable information had been compromised. The department discovered in March that the breach happened due to a January cyberattack on vendor Illuminate Education, a California-based company that provides software to track grades and attendance.
Since that announcement, the number of students impacted by the January cyberattack on Illuminate Education had spread to districts in four other states as of May 17, according to THE Journal.
The Battelle for Kids data breach so far appears to have also compromised data from several districts in Ohio, including Upper Arlington City Schools, Fairfield City School District and Lakota Local School District. CPS is the fourth school system to issue a statement that it was impacted, THE Journal reports. Battelle for Kids said it has notified all districts affected by the incident, but did not specify the names or number of districts it had reached out to.
Given what’s happened in New York City, Levin said he expects to hear about more districts impacted by the Battelle for Kids data breach in the near future.
K12 SIX has tracked 1,331 cyber incidents in K-12 public schools since 2016. School district vendors were “responsible,” as the entry point, for 55% of K-12 data breaches between 2016 and 2021, according to the nonprofit’s report released earlier this year.
Schools are relying on technology more and more, and, consequently, putting themselves at greater risk for data breaches, Levin said. The response to COVID-19, with the swift move to remote learning, only accelerated this reliance on technology further.
“It’s definitely shifting the risk to vendors,” he said. “The jury is out as to whether or not it is more secure, and I think without school district vendors and partners stepping up, we’re starting to see some questions here whether they are doing enough to protect the data that they’re holding on behalf of schools.”
Battelle told CPS it delayed notifying the district for almost six months about the data breach because the organization needed to verify the authenticity of the attack through independent analysis and involve law enforcement in investigating the incident, the district said.
Even so, CPS said its contract with Battelle for Kids requires the vendor to make immediate contact in the event of any kind of data breach. The FBI and the Department of Homeland Security are both investigating the incident, according to CPS.
“We are addressing the delayed notification and other issues in the handling of data with Battelle for Kids,” CPS said in a statement on its website. “We are also working to ensure all vendors who use CPS data are handling that data responsibly and securely to prevent this sort of incident from ever happening again."
