Ransomware on edtech vendor results in data breach of 500K Chicago students
A ransomware attack last December against the K-12 technology vendor Battelle for Kids is being pinned as the cause of a data breach reported last Friday by Chicago Public Schools, affecting 500,000 students over a four-year period and about 60,000 current and former employees.
Chicago Public Schools sent out breach notification letters notifying families of students who attended between 2015 and 2019 that some of their personal information was accessed in the Dec. 1 attack against Battelle for Kids.
The school system — the nation’s third largest, with roughly 340,000 children enrolled currently — uses Battelle for Kids’ teacher evaluation software, which assesses educators based on students’ academic performance. Chicago Public Schools has paid Battelle for Kids about $1.4 million annually since 2012, the Chicago Sun-Times reported.
“[An] unauthorized party gained access to your child’s name, date of birth, gender,
grade level, school, Chicago Public Schools student ID number, State Student ID number,
information about the courses your student took, and scores from performance tasks used for
teacher evaluations,” read the letter families received last week.
The letter says no Social Security numbers, health records, financial information or current class schedules were included in the breach.
Chicago Public Schools states on an FAQ on its website that it was not notified of the ransomware incident until April 26 and only learned on May 11 that students and teachers had been affected. The vendor told school officials that the delay was due to the amount of time it needed to verify the attack and to notify law enforcement, according to the FAQ.
“Regardless, our contract with Battelle for Kids states that CPS is to be notified of any data breach immediately,” school officials wrote.
Chicago is not the only school district affected by last year’s ransomware attack. Several districts in Ohio that also use Battelle for Kids to conduct teacher evaluations were notified last month that data going back to 2011 was exposed.
Battelle for Kids, headquartered in Columbus, Ohio, was founded in 2001 with a grant from the science and technology foundation Battelle, and it operates as a nonprofit entity. It now joins a growing list of edtech vendors to suffer cybersecurity incidents that ripple across school systems and state lines. In March, a breach at Illuminate Education, a vendor used to track students’ attendance and academic progress, was found to have caused the exposure of more than 800,000 current and former New York City students, with more school systems across the country reporting similar breaches in the weeks since.