The Chicago Public Schools (CPS) entity officially advised parents and students of a data breach occurring via a third-party nonprofit, Battelle for Kids. Battelle for Kids is a nonprofit company that stores student course and evaluation data.
CPS states in its own letter to parents that Battelle for Kids notified CPS in late April about a breach in December which exposed 500,000 children’s names, dates of birth, gender, grade level, school, CPS student ID number and state student ID number, information about the courses students took, and scores from performance tasks used for teacher evaluations during school years 2015-16, 2016-17, 2017-18 and/or 2018-19. In addition, the information of 60,000 teachers was also exposed. CPS said no Social Security Numbers, health data, financial information or current data on courses and grades were involved in the breach.
CISA and the FBI have already been involved in an investigation of the incident since April, and CPS said it is providing 12 months of free credit monitoring and identity theft protection for students and teachers affected by the attack.
Organizations should be aware that third-party services and partners that are not under strict regulatory scrutiny may often engage in late notification practices. Here, Battelle for Kids was aware of a breach in December but neglected to inform its partners or the FBI until late April. This exposes all entities and their end-clients to considerable risk, which can only be mitigated with a defense-in-depth strategy that invests in post-exploitation detection.
While CPS emphasized that Social Security Numbers (SSN) were not stolen in the breach, such information is easily found via other sources. The Social Security Administration offers free lookup of SSN on its website, for example, and there are numerous other legal and illegal databases and data services available.
Families should make use of the free identity theft monitoring services that were offered or utilize one of their own choice if the resources are available. One example in which such information can be misused is tax fraud and loan fraud. Student information can be paired with additional Open-Source Intelligence (OSINT) to file fraudulent income tax returns and student loan applications. These areas are not typically monitored by students or their guardians until after they turn 18 or apply for college financial aid.