This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

CHICAGO — A ransomware attack last year affected nearly 500,000 Chicago Public School students.

The district said over 495,000 student records and over 56,000 staff records were compromised.

The breach was a result of a ransomware attack on a vendor for the district — Battelle for Kids, according to CPS. It occurred on Dec. 1, 2021.

CPS said the compromised records included the following for students; name, date of birth, gender, grade level, school, Chicago Public Schools student D number, state student ID number, information about the courses students took and student scores from performance tasks used for teacher evaluations during school years 2015-2019.

CPS said the compromised records included the following for staff; name, school employee ID number, CPS email address, Battelle for Kids username, and for teachers, information about courses taught during the aforementioned school years.

CPS released the following statement, saying no addresses or things like social security numbers were compromised.

“Chicago Public Schools (CPS) is deeply committed to the security of student and staff information, and we expect the same level of care and commitment from our vendors. CPS was recently made aware of a data security incident involving one of our vendors that impacted staff and student information documented between 2015 and 2019. A technology vendor for CPS, Battelle for Kids, recently notified CPS that it was the victim of a ransomware attack on a server used to store CPS student and staff information for school years 2016, 2017, 2018 and 2019. Battelle for Kids is a nonprofit technology organization that stores student course information and assessment data for the purposes of teacher evaluations.

There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses, and no course grades, standardized test scores, or teacher evaluation scores exposed  in this incident. Also, at this time, there is no evidence to suggest that this data has been misused, posted, or distributed. 

This afternoon, the District began informing impacted families and staff members, including former CPS families and former staff who were impacted, about this incident.  We will follow up with impacted families and staff members. Families will receive one communication per child impacted. We are also notifying families and staff that were not impacted by this incident to provide them with peace of mind. The communication will contain a summary of the incident and free resources that impacted families and staff can access to safeguard their information, including free credit monitoring and identity theft protection provided by CPS. 

We are addressing the delayed notification and other issues in the handling of data with Batelle for Kids. CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.”

Battelle for Kids released the following statement.

Battelle for Kids is a national non-profit that partners with school systems and state
departments of education to process data for varied purposes. Protecting that data is a priority
we take very seriously, especially in the current environment of ever-increasing cyberattacks.

In December 2021, Battelle for Kids was the victim of a cybersecurity ransomware attack. We
immediately engaged a national cybersecurity firm to assess the scope of the incident and took
steps to mitigate the potential impact. We have recently received findings and notified all
impacted school systems.

Some student and staff information was exposed, including names, ID numbers and other
information such as birthdates and schedules. Much of this exposed information was legacy or
archive data from years past and not considered to be sensitive “personally identifiable
information.” Battelle for Kids does not collect Social Security Numbers for students or staff. No
social security numbers, no financial information (such as banking or credit card), no health
data, no current course or schedule information, and no course grades were involved in this
incident.

This incident has been reported to and investigated by the appropriate law enforcement
authorities, including the Federal Bureau of Investigation (FBI) and the Department of
Homeland Security (DHS). Battelle for Kids and our cybersecurity advisors are actively
monitoring the Internet in case the data is posted or distributed. We can report that as of this
time, there is no evidence to suggest that the data has been misused, posted, or distributed.

Ransomware attacks nearly doubled in 2021, according to the 2021 Annual Threat Monitor
produced by NCC Group. Battelle for Kids has implemented additional security protocols and
continues to monitor and take additional steps to protect data.