CPS data breach: records of 560,000 students and employees exposed

A massive data breach uncovered four years of records for nearly 500,000 Chicago public school students and nearly 60,000 employees, district officials told principals on Friday.

The attack targeted a company that had a no-bid contract with the district for teacher evaluation and involved basic information about students and staff, with no theft of financial records or social security numbers, according to the CPS.

The teacher assessment provider, called Battelle for Kids, was the target of a ransomware attack on Dec. 1 of last year, the district said. The CPS was notified on April 26, ‘but we did not know the full extent of the breach until May 11,’ officials said at an emergency meeting on Friday afternoon before details were released. be made public.

CPS representatives did not immediately respond to questions.

Other breaches related to the Battelle for Kids hack were identified in April in Ohio school districts, where private student data was exposed as early as 2011.

The CPS said the breach was “caused [and] exacerbated by BfK’s failure to comply with the information security terms of its contract,” specifically by failing to encrypt data and purge old records.

In total, approximately 495,000 student and 56,000 employee records were accessed from school years beginning in 2015-2016 through 2018-2019. The data included student names, schools, dates of birth, gender, CPS ID number, state ID number, class schedule information, and student-specific assessment scores. courses used for teacher evaluations.

Personnel data accessed for those years included names, employee ID numbers, school and course information, emails, and usernames.

The district said no student and staff financial information, social security numbers, home addresses or current schedules were breached.

CPS never solicited bids when awarding work to Battelle for Kids, a relationship that began in 2012. Initially, the company was hired under then-CEO Jean-Claude Brizard, but was retained by the following four leaders who have led CPS since then.

The most recent contract was signed in January, again without a tender, by CEO Pedro Martinez and interim chief purchasing officer Charles Mayfield. It is supposed to reach $90,058 for a year ending January 31, 2023.

Between 2012 and 2020, the Board of Education paid $1.4 million to the Ohio-based company, according to an online database of CPS provider payments. The database does not list payments for 2021 or 2022 and when asked specifically about Friday’s, CPS officials did not immediately respond.

Battelle for Kids was hired to help district leaders conduct teacher assessments under CPS’s REACH program. The evaluations take into account the evolution of the academic performance of the pupils of each teacher from year to year.

According to documents voted by the Board of Education in January, Battelle is supposed to “establish a definite link between teachers and the students they teach and to whom they have administered the REACH performance tasks. This is a requirement to produce accurate growth measures for teacher evaluation.