Experts wonder why it took vendor so long to notify Chicago Public Schools of data breach
CHICAGO (CBS) -- In the wake of a massive data breach involving more than half a million Chicago Public Schools students and staff, the district still wants to know why it took its vendor months to disclose the breach.
As CBS 2 Political Investigator Dana Kozlov reported, experts with whom we spoke said ransomware attacks in general – including those on school districts and vendors – are skyrocketing.
Chicago Public Schools families began getting emails late last week. They learned their children's information had been compromised in a data breach and ransomware attack at Battelle for Kids – a CPS vendor.
The emails state cybercriminals did not access students' Social Security numbers, but they did get names, dates of birth, genders, student ID numbers, and other information.
"There were over 1,000 ransomware attacks on schools in 2021," said Lisa Plaggemier of the nonprofit National Cybersecurity Alliance.
Plaggemier says a child's pristine credit history makes districts attractive targets.
"Your child's Social Security number is clean, right?" she said. "It's a Social Security number that can easily be abused for a long time."
It is a growing concern the CBS 2 Investigators first exposed blast September.
After a public records request that we sent to 60 of Illinois' 850 school districts, we found Palos Community Consolidated District 118 had been the victim of a ransomware attack – and didn't realize personal information had ended up on the dark web.
"Think of it as a cyber bomb," Crane Hassold, Director of Threat Intelligence at Abnormal Security, said in our September report. "It goes off, locks up all the data, shows the ransom note, and the situation goes from there."
Hackers lock up all of a system's data and hold it for ransom. In this breach involving CPS, it is not clear if Battelle for Kids had paid the cyber swindlers to get its money back – or why it took until late April to notify the district of the Dec. 1 breach.
"It's completely unacceptable it took five months for CPS to be notified by Battelle," said cyber expert Grant Geyer, who is the chief product officer at Claroty.
A CPS spokesperson said they are addressing the delay – adding Battelle officials told them an independent forensic analysis was first needed to verify the breach. Plaggemier is skeptical, and says this latest attack is another call for school boards to prepare and plan.
"Do we know whether or not we will pay the ransom? Because that's a policy decision - whether or not you're going to spend potentially taxpayer money to pay cybercriminals instead of paying teachers," she said. "To me, that's a moral decision, and a policy decision."
CPS is offering free credit monitoring to the students affected – a group that includes two of Kozlov's own kids. Experts highly recommend signing up.
Impacted families and staff are invited to call 833-909-4007, visit cps.edu/databreach or email BFK-Breach-Info@cps.edu for more information.
Kozlov also reached out to Battelle for Kids on Monday. There was no response.
