The breach was part of a ransomware attack in December that targeted the teacher evaluation vendor Battelle for Kids. No financial records, addresses, or Social Security numbers were released in the attack. However, student names, schools, gender, CPS identification numbers, state ID numbers, dates of birth, class schedule information, and scores on specific assessments used for teacher evaluations were obtained in the leak, according to the Chicago Sun-Times.
The school said the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract,” including its failure to purge old school records and encrypt data, the outlet reported.
The data obtained was from students and employees who were at the school from 2015-16 through 2018-19 and affected 495,000 students and 56,000 employees. Staff information included in the breach included the names, employee identification numbers, school and course information, emails, and usernames of employees.
The district said it was first notified of the leak in April but did not have a thorough understanding of the scale of the breach or the information released until May 11.
The relationship between CPS and the evaluation vendor began in 2012 and helps the district keep track of the growth of its teachers. The company has been used every year since, with the most recent contract being signed in January.
Other school districts have also been affcted by the data breach, including both public and private schools in Ohio, with information that goes as far back as 2011.