Ransomware attack on nonprofit causes data breach of 500,000 students, teachers in Chicago

A December ransomware attack on Ohio educational nonprofit Battelle for Kids led to a data breach involving the personal information of about 500,000 Chicago-area students and 60,000 teachers. 

In breach notification letters sent out Friday, Chicago Public Schools (CPS) told parents that the personal information of students from 2015-19 was involved in the attack on Battelle for Kids — a nonprofit tech company that stores student course information and assessment data for teacher evaluations.

The letter says Battelle for Kids only notified CPS in late April about the December incident, which exposed childrens’ names, dates of birth, gender, grade level, school, CPS student ID number and state student ID number; information about the courses students took; and scores from performance tasks used for teacher evaluations during school years 2015-16, 2016-17, 2017-18 and/or 2018-19.

CPS said no Social Security numbers, health data, financial information or current data on courses and grades were involved in the breach. 

CISA and the FBI have already been involved in an investigation of the incident and CPS said it is providing just 12 months of free credit monitoring and identity theft protection for students and teachers affected by the attack. 

CPS implied in the letter that it plans to continue working with Battelle for Kids, noting that the organization has allegedly “taken several mitigation measures to reduce the risk of this type of incident occurring in the future, including a plan for the timely and secure deletion of outdated data, migration to enterprise cloud services, enhanced network security, and the retention of a third-party security firm for up-to-date defenses and industry-leading practices for the ever-evolving needs of cybersecurity.”

But the school district noted in an FAQ that Battelle for Kids waited until April 26 to tell officials about the incident, and it was until May 11 that CPS received information on the affected 495,448 student records and 56,138 staff records. 

“Our vendor, Battelle for Kids, informed us that the reason for the delayed notification to CPS was the length of time that it took for Batelle to verify the authenticity of the breach through an independent forensic analysis, and for law enforcement authorities to investigate the matter,” CPS said. 

“Regardless, our contract with Battelle for Kids states that CPS is to be notified of any data breach immediately. We are addressing the delayed notification and other issues in the handling of data with Batelle for Kids. We are also working to ensure all vendors who use CPS data are handling that data responsibly and securely to prevent this sort of incident from ever happening again.”

In a statement to The Record, Battelle for Kids said it hired a cybersecurity firm to “assess the scope of the incident and took steps to mitigate the potential impact.”

The organization argued that most of the information accessed during the ransomware attack “was legacy or archive data from years past and not considered to be sensitive ‘personally identifiable information.’”

“Battelle for Kids and our cybersecurity advisors are actively monitoring the Internet in case the data is posted or distributed. We can report that as of this time, there is no evidence to suggest that the data has been misused, posted, or distributed,” the organization said. 

Ohio incidents

The company later implied that other school systems were affected beyond CPS, noting that when it received the findings of the Chicago investigation they notified other customers. 

Valley View High School in Ohio released its own notice that said it was informed on April 5 about the ransomware attack. The school sent out breach notification letters to students and families. 

Several other school districts in Ohio have sent out notices to parents about a potential breach. Battelle for Kids did not answer questions about how many school districts were affected but recently released a report that said it works with 2.84 million students in 276 different school districts. 

The Chicago Sun-Times reported that between 2012 and 2020, CPS paid Battelle for Kids $1.4 million and signed a $90,000 year-long contract renewal with the company in January – about 30 days after the ransomware attavk. 

New York City suffered a similar issue at the end of March when Illuminate Education – which owns popular school management platforms IO Classroom, Skedula, and Pupilpath – revealed that a January cyberattack exposed the personal information of 820,000 current and former students.