Chicago Public Schools Suffers Major Data Breach Affecting 100K Accounts

A latest data breach, speculated to be a ransomware, has affected Chicago Public Schools. The data breach has compromised over 100k accounts belonging to students and CPC staff. This is one of the first major data breach targeting a school in the US. This incident has been reported as a data breach. A data breach is an unauthorized attempt to acquire, misuse, sell or duplicate digital data that occurs due to loopholes in security defense, breach of confidentiality, or disruption in technology framework that is providing data security. In CPS’ case, Battelle for Kids has been found wanting as far as detecting, reporting and taking appropriate steps are concerned.

According to an official statement released by Chicago Public Schools, the data breach has affected current and past data related to personal biodata, student performance, teacher’s evaluation and CPS email addresses. The attackers apparently targeted important data types labeled as NAME, DOB, Gender, Grade Level, Student ID numbers, Scores and Assignments, and School Employee ID and email addresses. However, attackers haven’t managed to misuse, extort or post any of these data in the dark web, as per CPS.

At the time of reporting this incident, we spoke to cybersecurity experts.

Chris Hauk, consumer privacy champion, Pixel Privacy said, “This data breach appears to have affected both students and faculty equally. While no social security information, home addresses, or financial information was reportedly exposed, enough data was exposed that would provide a leg up for bad actors looking to gain additional information. Students and faculty must remain on the alert for any phishing attempts that use the gleaned information to acquire additional info.”

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG informed, “Ransomware attacks have become a growing threat to education centers across the United States. Schools are becoming more dependent on a computing infrastructure to support their daily functions, and they also hold a vast amount of sensitive information. This provides criminals with high-profile targets to infiltrate and hold data for ransom or steal and sell it.”

Erfan added, “School districts and universities need to understand that they are high-profile targets, and they need to assume that a cyber-attack is imminent. With that in mind, as the first step, they need to invest in a dynamic security awareness training program for both faculty and students so they can better identify security risks such as phishing emails and suspicious links. And then, they need to protect their data not just with enhanced perimeter security but with data-centric security such as tokenization applied directly to that data. Only robust data-centric security can help mitigate the situation if the wrong hands get ahold of sensitive data.”

What the Chicago Public Schools Said?

According to the official statement published by CPS, 495,448 student records containing Name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Student ID number, information about the courses students took, and scores from performance tasks used for teacher evaluations during school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.

56,138 staff records containing Name, school, employee ID number, CPS email address, Battelle for Kids username, course information from school years 2015-2016, 2016-2017, 2017-2018 and/or 2018-2019.

As an added measure to inform the students and staff affected by the data breach, CPS is sending personalized emails with the subject line – “Notification of Unauthorized Disclosure of Student/Staff Information.”