500,000 Chicago students' info stolen in massive CPS data breach

A huge data breach has exposed four years’ worth of records of nearly 500,000 Chicago Public Schools (CPS) students and 60,000 employees.

The ransomware attack targeted a firm that has a no-bid contract with the school system for teacher evaluations and involved basic information — including students’ dates of birth — but no financial records or Social Security numbers, according to CPS.

The district said there is no evidence the data has been misused, posted or distributed, but offered affected families a year of credit monitoring and identity theft protection:

We are addressing the delayed notification and other issues in the handling of data with Battelle for Kids. Battelle for Kids informed CPS that the reason for the delayed notification to CPS was the length of time that it took for Battelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter.

CPS includes strong language in all of our vendor contracts to ensure the protection and security of personal information. We are working to ensure all vendors who use CPS data are handling that data responsibly and securely in compliance with their respective contracts to prevent this sort of incident from ever happening again.

Staff data accessed for those years included names, employee identification numbers, school and course information and emails and usernames. CPS said the breached server did not store any other records.

There were no Social Security numbers, no financial information, no health data, no current course or schedule information, no home addresses and no course grades, standardized test scores, or teacher evaluation scores exposedin this incident.

Last week, the Bank of Zambia, the country's central bank, reported that recent technical outages resulted from a hacker attack.